This commit is contained in:
@@ -6,14 +6,11 @@ function secure_session_start(): void
|
||||
return;
|
||||
}
|
||||
|
||||
$is_https = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
|
||||
|| (isset($_SERVER['SERVER_PORT']) && (int) $_SERVER['SERVER_PORT'] === 443);
|
||||
|
||||
session_set_cookie_params([
|
||||
'lifetime' => 0,
|
||||
'path' => '/',
|
||||
'domain' => '',
|
||||
'secure' => $is_https,
|
||||
'secure' => true,
|
||||
'httponly' => true,
|
||||
'samesite' => 'Lax',
|
||||
]);
|
||||
@@ -245,13 +242,10 @@ function clear_rate_limit(mysqli $conn, string $bucket, string $identifier = '')
|
||||
|
||||
function set_secure_cookie(string $name, string $value, int $expires): void
|
||||
{
|
||||
$is_https = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
|
||||
|| (isset($_SERVER['SERVER_PORT']) && (int) $_SERVER['SERVER_PORT'] === 443);
|
||||
|
||||
setcookie($name, $value, [
|
||||
'expires' => $expires,
|
||||
'path' => '/',
|
||||
'secure' => $is_https,
|
||||
'secure' => true,
|
||||
'httponly' => true,
|
||||
'samesite' => 'Lax',
|
||||
]);
|
||||
|
||||
@@ -35,6 +35,13 @@ $data = json_decode($response, true);
|
||||
if (isset($data['status'])) {
|
||||
if ($data['status'] == "success") {
|
||||
// Successful authentication: login the user
|
||||
session_set_cookie_params([
|
||||
'lifetime' => 0,
|
||||
'path' => '/',
|
||||
'secure' => true,
|
||||
'httponly' => true,
|
||||
'samesite' => 'Lax',
|
||||
]);
|
||||
session_start();
|
||||
$_SESSION["username"] = $data["username"];
|
||||
$_SESSION["id"] = $data["id"];
|
||||
|
||||
+3
-3
@@ -1368,7 +1368,7 @@ session.use_strict_mode = 0
|
||||
session.use_cookies = 1
|
||||
|
||||
; http://php.net/session.cookie-secure
|
||||
;session.cookie_secure =
|
||||
session.cookie_secure = 1
|
||||
|
||||
; This option forces PHP to fetch and use a cookie for storing and maintaining
|
||||
; the session id. We encourage this operation as it's very helpful in combating
|
||||
@@ -1400,13 +1400,13 @@ session.cookie_domain =
|
||||
; Whether or not to add the httpOnly flag to the cookie, which makes it
|
||||
; inaccessible to browser scripting languages such as JavaScript.
|
||||
; http://php.net/session.cookie-httponly
|
||||
session.cookie_httponly =
|
||||
session.cookie_httponly = 1
|
||||
|
||||
; Add SameSite attribute to cookie to help mitigate Cross-Site Request Forgery (CSRF/XSRF)
|
||||
; Current valid values are "Strict", "Lax" or "None". When using "None",
|
||||
; make sure to include the quotes, as `none` is interpreted like `false` in ini files.
|
||||
; https://tools.ietf.org/html/draft-west-first-party-cookies-07
|
||||
session.cookie_samesite =
|
||||
session.cookie_samesite = Lax
|
||||
|
||||
; Handler used to serialize data. php is the standard serializer of PHP.
|
||||
; http://php.net/session.serialize-handler
|
||||
|
||||
Reference in New Issue
Block a user