Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Increase session cookie safety #92

Open
wants to merge 1 commit into
base: 1.6.x
from

Conversation

@bytesplit
Copy link

commented Jan 12, 2018

Activate both secure cookie and HTTP only. SameSite is not available
before PHP7.3.0. Sadly, I had no option to activate cookie_secure only
if NGINX has been configured for HTTPS. Thanks to LetsEncrypt certs
this should not be to much risk.

Increase session cookie safety
Activate both secure cookie and HTTP only. SameSite is not available
before PHP7.3.0. Sadly, I had no option to activate cookie_secure only
if NGINX has been configured for HTTPS. Thanks to LetsEncrypt certs
this should not be to much risk.
@bytesplit

This comment has been minimized.

Copy link
Author

commented Jan 12, 2018

I tested this with a 1.2 and 1.4 and the changes are backwards compatible. Importing into 1.5 should work ok...

@nuxwin nuxwin self-assigned this Jan 12, 2018

@nuxwin nuxwin added the enhancement label Jan 12, 2018

@nuxwin

This comment has been minimized.

Copy link
Member

commented Jan 12, 2018

@bytesplit You 're assuming HTTPS connections. What about non HTTPS connections?

@bytesplit

This comment has been minimized.

Copy link
Author

commented Jan 12, 2018

For non-HTTPS the cookie_secure must be left false (default). I just had no chance to search the iMSCP settings to do an actual if-condition. When you tell me where to find out if the panel is configured for HTTPS, I could adjust the commit.

@bytesplit

This comment has been minimized.

Copy link
Author

commented Jan 12, 2018

Erm, as isSecureRequest() answers true; I should be able to write like: cookie_secure => isSecureRequest()

Will have to test, my PHP has become a little bit rusty...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.