Skip to content
Permalink
Browse files
set php session security related settings (correctly in every case)
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
  • Loading branch information
d00p committed Aug 25, 2021
1 parent ec1c37a commit 4b22470872811fdd17da2c524db93a301724e3e0
Showing with 10 additions and 0 deletions.
  1. +6 −0 index.php
  2. +4 −0 lib/init.php
@@ -28,6 +28,12 @@
}

if (session_status() == PHP_SESSION_NONE) {
ini_set("session.name", "s");
ini_set("url_rewriter.tags", "");
ini_set("session.use_cookies", false);
ini_set("session.cookie_httponly", true);
ini_set("session.cookie_secure", $is_ssl);
session_id($s);
session_start();
}

@@ -161,7 +161,9 @@
/**
* If Froxlor was called via HTTPS -> enforce it for the next time by settings HSTS header according to settings
*/
$is_ssl = false;
if (isset($_SERVER['HTTPS']) && (strtolower($_SERVER['HTTPS']) != 'off')) {
$is_ssl = true;
$maxage = Settings::Get('system.hsts_maxage');
if (empty($maxage)) {
$maxage = 0;
@@ -217,6 +219,8 @@
ini_set("session.name", "s");
ini_set("url_rewriter.tags", "");
ini_set("session.use_cookies", false);
ini_set("session.cookie_httponly", true);
ini_set("session.cookie_secure", $is_ssl);
session_id($s);
session_start();
$query = "SELECT `s`.*, `u`.* FROM `" . TABLE_PANEL_SESSIONS . "` `s` LEFT JOIN `";

0 comments on commit 4b22470

Please sign in to comment.