Skip to content

2.1.0 - security, sessions and Admin panel

Choose a tag to compare

@wrobeltomasz wrobeltomasz released this 18 May 05:36

What's new:

Security & sessions - Reverse-proxy aware: auto-detect HTTPS via X-Forwarded-Proto, CF-Visitor, X-Forwarded-SSL.

  • Real client IP resolved via CF-Connecting-IP / X-Real-IP (fixes rate-limit collapse behind CloudFlare). - Fixed admin login redirect loop (ERR_TOO_MANY_REDIRECTS) caused by relative session.save_path under PHP-FPM.
  • session.gc_maxlifetime synced with SESSION_MAX_LIFETIME to prevent premature logout.
  • IP_HASH_SALT auto-generated on first request and persisted to includes/.secret_salt (chmod 0600, gitignored).
  • New tmp/.htaccess denies HTTP access to session files.
  • Hardened session_regenerate_id() flow in login.php.

Admin panel

  • Improved 403 page on admin/ — shows current user, role, and required role for faster debugging.

CI / release

  • Fixed Docker Hub build tag pattern (now matches both v1.2.3 and bare 1.2.3 semver tags).
  • Release ZIP excludes hardened: tmp/, cypress/, node_modules/, package*.json, .claude/, includes/.secret_salt.
  • Removed dead e2e-tests.yml workflow (Cypress not in repo).
  • CodeQL no longer references non-existent classic branch.
  • PHP lint now runs matrix across PHP 8.1, 8.2, 8.3.
  • vanilla-check.yml extended with chart.js, swiper, htmx, gsap, three, stimulus, d3.

Docs

  • README updated: badges refreshed, IP_HASH_SALT behaviour documented, reverse-proxy notes added, tag examples corrected (X.Y.Z not
    vX.Y.Z).

Upgrade notes

  • No breaking changes. Existing database.json and configuration are preserved.
  • Behind reverse proxy: no action required — detection is automatic.
  • Multi-server deployments should set IP_HASH_SALT explicitly so all nodes share the same salt.

Download OpenSparrow