Add session regenerate after login & logout. Secure cookie if HTTPS.

close #1473
instantsoft · Aug 15, 2023 · ca5f150 · ca5f150
1 parent bd01519
commit ca5f150
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/system/core/config.php b/system/core/config.php
@@ -144,7 +144,7 @@ public function setData() {
             $replace_upload_host_protocol = true;
         }
 
-        $this->set('document_root', rtrim(PATH, $this->root));
+        $this->set('document_root', preg_replace('#(.*)('.preg_quote($this->root).')$#u', '$1', PATH . DIRECTORY_SEPARATOR));
         $this->set('root_path', PATH . DIRECTORY_SEPARATOR);
         $this->set('system_path', $this->root_path . 'system/');
         $this->set('upload_path', $this->document_root . $this->upload_root);

diff --git a/system/core/user.php b/system/core/user.php
@@ -265,6 +265,8 @@ public static function autoLogin($auth_token) {
 
         self::setUserSession($user, $user['ip']);
 
+        self::sessionRegenerate();
+
         return intval($user['id']);
     }
 
@@ -343,6 +345,8 @@ public static function loginComplete($user, $remember = false) {
         self::getInstance()->id = $user['id'];
         self::getInstance()->is_logged = true;
 
+        self::sessionRegenerate();
+
         return true;
     }
 
@@ -384,6 +388,8 @@ public static function logout() {
 
         self::sessionUnset('user');
 
+        self::sessionRegenerate();
+
         return true;
     }
 
@@ -486,6 +492,19 @@ public static function sessionStart(cmsConfig $config) {
         }
     }
 
+    public static function sessionRegenerate() {
+
+        session_regenerate_id(false);
+
+        $id = session_id();
+
+        session_write_close();
+
+        session_id($id);
+
+        session_start();
+    }
+
     public static function sessionSet($key, $value) {
 
         if (strpos($key, ':') === false) {
@@ -568,7 +587,7 @@ public static function setCookie($key, $value, $time = 3600, $path = '/', $http_
                 'path'     => $path,
                 'domain'   => $domain,
                 'samesite' => 'Lax',
-                'secure'   => false,
+                'secure'   => cmsConfig::isSecureProtocol(),
                 'httponly' => $http_only
             ]);
         }