diff options
| -rw-r--r-- | lib/Minz/Session.php | 58 | ||||
| -rw-r--r-- | p/.htaccess | 1 |
2 files changed, 24 insertions, 35 deletions
diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php index aafbbbde8..6cb26ce71 100644 --- a/lib/Minz/Session.php +++ b/lib/Minz/Session.php @@ -30,7 +30,7 @@ class Minz_Session { } /** - * Initialize the session, with a name + * Initialize and start the session, with a name * The session name is used as the name for cookies and URLs (i.e. PHPSESSID). * It should contain only alphanumeric characters; it should be short and descriptive * If the volatile parameter is true, then no cookie and not session storage are used. @@ -43,19 +43,24 @@ class Minz_Session { return; } - $cookie = session_get_cookie_params(); - self::keepCookie($cookie['lifetime']); + $params = session_get_cookie_params(); + // Sanitize lifetime of session cookies from PHP ini `session.cookie_lifetime` (default 0) + $params['lifetime'] = ($params['lifetime'] <= 0 || $params['lifetime'] > 86400) ? 0 : $params['lifetime']; + $params['path'] = ''; // Current directory + $params['domain'] = ''; // Current domain + $params['secure'] = Minz_Request::isHttps(); + $params['httponly'] = true; + $params['samesite'] = 'Lax'; + session_set_cookie_params($params); - // start session session_name($name); - //When using cookies (default value), session_stars() sends HTTP headers + // When using cookies (default value), session_start() sends HTTP headers session_start(); session_write_close(); - //Use cookie only the first time the session is started to avoid resending HTTP headers + // Use cookie only the first time the session is started to avoid resending HTTP headers ini_set('session.use_cookies', '0'); } - /** * Allows you to retrieve a session variable * @param string $p the parameter to retrieve @@ -175,27 +180,6 @@ class Minz_Session { } } - public static function getCookieDir(): string { - // Get the script_name (e.g. /p/i/index.php) and keep only the path. - $cookie_dir = ''; - if (!empty($_SERVER['HTTP_X_FORWARDED_PREFIX']) && is_string($_SERVER['HTTP_X_FORWARDED_PREFIX'])) { - $cookie_dir .= rtrim($_SERVER['HTTP_X_FORWARDED_PREFIX'], '/ '); - } - $cookie_dir .= empty($_SERVER['REQUEST_URI']) || !is_string($_SERVER['REQUEST_URI']) ? '/' : $_SERVER['REQUEST_URI']; - if (substr($cookie_dir, -1) !== '/') { - $cookie_dir = dirname($cookie_dir) . '/'; - } - return $cookie_dir; - } - - /** - * Specifies the lifetime of the cookies - * @param int $l the lifetime - */ - public static function keepCookie(int $l): void { - session_set_cookie_params($l, self::getCookieDir(), '', Minz_Request::isHttps(), true); - } - /** * Regenerate a session id. */ @@ -214,21 +198,27 @@ class Minz_Session { Minz_Error::error(500); return; } - $lifetime = session_get_cookie_params()['lifetime']; - $expire = $lifetime > 0 ? time() + $lifetime : 0; - setcookie($name, $newId, $expire, self::getCookieDir(), '', Minz_Request::isHttps(), true); + $params = session_get_cookie_params(); + $params['expires'] = $params['lifetime'] > 0 ? time() + $params['lifetime'] : 0; + unset($params['lifetime']); + setcookie($name, $newId, $params); } public static function deleteLongTermCookie(string $name): void { - setcookie($name, '', 1, '', '', Minz_Request::isHttps(), true); + $params = session_get_cookie_params(); + $params['expires'] = 1; + unset($params['lifetime']); + setcookie($name, '', $params); } public static function setLongTermCookie(string $name, string $value, int $expire): void { - setcookie($name, $value, $expire, '', '', Minz_Request::isHttps(), true); + $params = session_get_cookie_params(); + $params['expires'] = $expire; + unset($params['lifetime']); + setcookie($name, $value, $params); } public static function getLongTermCookie(string $name): string { return is_string($_COOKIE[$name] ?? null) ? $_COOKIE[$name] : ''; } - } diff --git a/p/.htaccess b/p/.htaccess index 06790616b..f6216a439 100644 --- a/p/.htaccess +++ b/p/.htaccess @@ -44,7 +44,6 @@ AddDefaultCharset UTF-8 Header merge Cache-Control "immutable" </If> </FilesMatch> - Header edit Set-Cookie ^(.*)$ "$1; SameSite=Lax" </IfModule> # Provide the true IP address of the connection (e.g. last proxy), even when using mod_remoteip |