Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix #316 CSRF security issue set cookie samesite to strict
  • Loading branch information
francoisjacquet committed Jul 31, 2021
1 parent f85e1e7 commit f95bd0d
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 10 deletions.
1 change: 1 addition & 0 deletions CHANGES.md
Expand Up @@ -16,6 +16,7 @@ Changes in 7.9.2
----------------
- Fix SQL error when single quote in Course Title in InputFinalGrades.php
- Fix include Semester course periods in the Schedule table in Schedule.inc.php
- Fix #316 CSRF security issue set cookie samesite to strict, thanks to @huntrdev

Changes in 7.9.1
----------------
Expand Down
41 changes: 31 additions & 10 deletions Warehouse.php
Expand Up @@ -109,19 +109,40 @@
*/
session_name( 'RosarioSIS' );

// See http://php.net/manual/en/session.security.php.
// @link http://php.net/manual/en/session.security.php
$cookie_path = dirname( $_SERVER['SCRIPT_NAME'] ) === DIRECTORY_SEPARATOR ?
'/' : dirname( $_SERVER['SCRIPT_NAME'] ) . '/';

session_set_cookie_params(
0,
$cookie_path,
'',
// Cookie secure flag for https.
( ( ! empty( $_SERVER['HTTPS'] ) && $_SERVER['HTTPS'] !== 'off' ) ||
( isset( $_SERVER['SERVER_PORT'] ) && $_SERVER['SERVER_PORT'] == 443 ) ),
true
);
// Fix #316 CSRF security issue set cookie samesite to strict.
// @link https://www.php.net/manual/en/function.session-set-cookie-params.php#125072
$cookie_samesite = 'Strict';

// Cookie secure flag for https.
$cookie_https_only = ( ! empty( $_SERVER['HTTPS'] ) && $_SERVER['HTTPS'] !== 'off' ) ||
( isset( $_SERVER['SERVER_PORT'] ) && $_SERVER['SERVER_PORT'] == 443 );

if ( PHP_VERSION_ID < 70300 )
{
// PHP version < 7.3.
session_set_cookie_params(
0,
$cookie_path . '; samesite=' . $cookie_samesite,
'',
$cookie_https_only,
true
);
}
else
{
session_set_cookie_params( array(
'lifetime' => 0,
'path' => $cookie_path,
'domain' => '',
'secure' => $cookie_https_only,
'httponly' => true,
'samesite' => $cookie_samesite,
) );
}

session_cache_limiter( 'nocache' );

Expand Down

0 comments on commit f95bd0d

Please sign in to comment.