[core] add parameters for the session cookie, and is now httponly by …

…default
jelix · Apr 10, 2020 · 80a29b5 · 80a29b5
1 parent 4d94d77
commit 80a29b5
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 3 deletions.
diff --git a/lib/jelix/core/defaultconfig.ini.php b/lib/jelix/core/defaultconfig.ini.php
@@ -408,6 +408,13 @@
 ; share the same php session
 shared_session = off
 
+; parameters for the session cookie
+cookieSecure=off
+cookieHttpOnly=on
+cookieExpires=0
+; only supported with php 7.3.0+. Possible values: None, Strict, Lax
+cookieSameSite=
+
 ; indicate a session name for each applications installed with the same
 ; domain and basePath, if their respective sessions shouldn't be shared
 name=

diff --git a/lib/jelix/core/jSession.class.php b/lib/jelix/core/jSession.class.php
@@ -33,9 +33,27 @@ public static function start(){
             return false;
         }
 
-        //make sure that the session cookie is only for the current application
-        if (!$params['shared_session'])
-            session_set_cookie_params ( 0 , jApp::urlBasePath());
+        $cookieOptions = array(
+            'path' => '/',
+            'secure' => $params['cookieSecure'], // true to send the cookie only on a secure channel
+            'httponly' => $params['cookieHttpOnly'],
+            'expires' => $params['cookieExpires']
+        );
+
+        if (!$params['shared_session']) {
+            //make sure that the session cookie is only for the current application
+            $cookieOptions['path'] = jApp::urlBasePath();
+        }
+
+        if (PHP_VERSION_ID < 70300) {
+            session_set_cookie_params($cookieOptions['expires'], $cookieOptions['path'], '', $cookieOptions['secure'], $cookieOptions['httponly']);
+        }
+        else {
+            if ($params['cookieSameSite'] != '') {
+                $cookieOptions['samesite'] = $params['cookieSameSite'];
+            }
+            session_set_cookie_params($cookieOptions);
+        }
 
         if ($params['storage'] != '') {