Skip to content
Permalink
Browse files
secure session cookie, use samesite=strict
  • Loading branch information
TrystanLea committed Jul 22, 2021
1 parent f68021a commit ca1f5c3165fc51cfda4451c808c68ec877009523
Showing with 37 additions and 19 deletions.
  1. +16 −3 Modules/user/rememberme_model.php
  2. +8 −9 Modules/user/user_model.php
  3. +13 −7 core.php
@@ -40,16 +40,29 @@ class Rememberme {
// ---------------------------------------------------------------------------------------------------------
public function __construct($mysqli)
{
$this->mysqli = $mysqli;
$this->log = new EmonLogger(__FILE__);
$this->mysqli = $mysqli;
$this->log = new EmonLogger(__FILE__);

if (is_https()) {
$this->secure = true;
}
}

// ---------------------------------------------------------------------------------------------------------
public function setCookie($content,$expire)
{
$this->log->info("setCookie: $content $expire");

setcookie($this->cookieName,$content,$expire,$this->path,$this->domain,$this->secure,$this->httpOnly);
// setcookie($this->cookieName,$content,$expire,$this->path,$this->domain,$this->secure,$this->httpOnly);
// May be limited to PHP7.3
setcookie($this->cookieName,$content, [
'expires' => $expire,
'path' => $this->path,
'domain' => $this->domain,
'secure' => $this->secure,
'httponly' => $this->httpOnly,
'samesite' => 'Strict'
]);

// Double check cookie saved correctly
if (isset($_COOKIE[$this->cookieName]) && $_COOKIE[$this->cookieName]!=$content) {
@@ -154,15 +154,14 @@ public function emon_session_start()
if (substr($cookie_params['path'], -1) !== '/')
$cookie_params['path'] .= '/';
//not pass cookie to javascript
$cookie_params['httponly'] = 1;

session_set_cookie_params(
$cookie_params['lifetime'],
$cookie_params['path'],
$cookie_params['domain'],
$cookie_params['secure'],
$cookie_params['httponly']
);
$cookie_params['httponly'] = true;
$cookie_params['samesite'] = 'Strict';

if (is_https()) {
$cookie_params['secure'] = true;
}

session_set_cookie_params($cookie_params);
session_start();

if ($this->enable_rememberme)
@@ -15,20 +15,26 @@
// no direct access
defined('EMONCMS_EXEC') or die('Restricted access');

function get_application_path()
{
// Default to http protocol
$proto = "http";

function is_https() {
// Detect if we are running HTTPS or proxied HTTPS
if (server('HTTPS') == 'on') {
// Web server is running native HTTPS
$proto = "https";
return true;
} elseif (server('HTTP_X_FORWARDED_PROTO') == "https") {
// Web server is running behind a proxy which is running HTTPS
$proto = "https";
return true;
} elseif (request_header('HTTP_X_FORWARDED_PROTO') == "https") {
return true;
}
return false;
}

function get_application_path()
{
if (is_https()) {
$proto = "https";
} else {
$proto = "http";
}

if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {

0 comments on commit ca1f5c3

Please sign in to comment.