From 6e092141824caf74509e3028445c58bfed6dba79 Mon Sep 17 00:00:00 2001
From: janis steiner <janis@jakach.ch>
Date: Fri, 15 May 2026 09:53:18 +0200
Subject: [PATCH] fixing session coockie to set to http only and secure

---
 app-code/api/utils/security.php | 10 ++--------
 app-code/plugins/auth.php       |  7 +++++++
 php-conf/php.ini                |  6 +++---
 3 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/app-code/api/utils/security.php b/app-code/api/utils/security.php
index f6d04ba..3d6d318 100644
--- a/app-code/api/utils/security.php
+++ b/app-code/api/utils/security.php
@@ -6,14 +6,11 @@ function secure_session_start(): void
         return;
     }
 
-    $is_https = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
-        || (isset($_SERVER['SERVER_PORT']) && (int) $_SERVER['SERVER_PORT'] === 443);
-
     session_set_cookie_params([
         'lifetime' => 0,
         'path' => '/',
         'domain' => '',
-        'secure' => $is_https,
+        'secure' => true,
         'httponly' => true,
         'samesite' => 'Lax',
     ]);
@@ -245,13 +242,10 @@ function clear_rate_limit(mysqli $conn, string $bucket, string $identifier = '')
 
 function set_secure_cookie(string $name, string $value, int $expires): void
 {
-    $is_https = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
-        || (isset($_SERVER['SERVER_PORT']) && (int) $_SERVER['SERVER_PORT'] === 443);
-
     setcookie($name, $value, [
         'expires' => $expires,
         'path' => '/',
-        'secure' => $is_https,
+        'secure' => true,
         'httponly' => true,
         'samesite' => 'Lax',
     ]);
diff --git a/app-code/plugins/auth.php b/app-code/plugins/auth.php
index a082e7d..9298481 100644
--- a/app-code/plugins/auth.php
+++ b/app-code/plugins/auth.php
@@ -35,6 +35,13 @@ $data = json_decode($response, true);
 if (isset($data['status'])) {
     if ($data['status'] == "success") {
         // Successful authentication: login the user
+        session_set_cookie_params([
+            'lifetime' => 0,
+            'path' => '/',
+            'secure' => true,
+            'httponly' => true,
+            'samesite' => 'Lax',
+        ]);
         session_start();
         $_SESSION["username"] = $data["username"];
         $_SESSION["id"] = $data["id"];
diff --git a/php-conf/php.ini b/php-conf/php.ini
index c0a02fa..b74b248 100644
--- a/php-conf/php.ini
+++ b/php-conf/php.ini
@@ -1368,7 +1368,7 @@ session.use_strict_mode = 0
 session.use_cookies = 1
 
 ; http://php.net/session.cookie-secure
-;session.cookie_secure =
+session.cookie_secure = 1
 
 ; This option forces PHP to fetch and use a cookie for storing and maintaining
 ; the session id. We encourage this operation as it's very helpful in combating
@@ -1400,13 +1400,13 @@ session.cookie_domain =
 ; Whether or not to add the httpOnly flag to the cookie, which makes it
 ; inaccessible to browser scripting languages such as JavaScript.
 ; http://php.net/session.cookie-httponly
-session.cookie_httponly =
+session.cookie_httponly = 1
 
 ; Add SameSite attribute to cookie to help mitigate Cross-Site Request Forgery (CSRF/XSRF)
 ; Current valid values are "Strict", "Lax" or "None". When using "None",
 ; make sure to include the quotes, as `none` is interpreted like `false` in ini files.
 ; https://tools.ietf.org/html/draft-west-first-party-cookies-07
-session.cookie_samesite =
+session.cookie_samesite = Lax
 
 ; Handler used to serialize data. php is the standard serializer of PHP.
 ; http://php.net/session.serialize-handler