hardened session cookie

benapetr · benapetr · commit 19e0764b33a7 · 2026-04-30T15:25:22.000+02:00
diff --git a/includes/login.php b/includes/login.php
@@ -38,6 +38,12 @@ function RefreshSession()
     }
 
     session_name($g_auth_session_name);
+    session_set_cookie_params([
+                                  'lifetime' => 0,
+                                  'path' => '/',
+                                  'httponly' => true,
+                                  'samesite' => 'Lax'
+                              ]);
     session_start();
     if (isset($_SESSION["time"]))
     {
@@ -107,6 +113,7 @@ function ProcessTokenLogin()
     $token = $_POST['token'];
     if (in_array($token, $g_api_tokens))
     {
+        session_regenerate_id(true);
         $_SESSION["user"] = $token;
         $_SESSION["logged_in"] = true;
         $_SESSION["token"] = true;
@@ -249,6 +256,7 @@ function ProcessLogin_LDAP()
                 return;
             }
         }
+        session_regenerate_id(true);
         $_SESSION['user'] = $login_name;
         $_SESSION['logged_in'] = true;
         $g_logged_in = true;
@@ -315,6 +323,7 @@ function ProcessLogin_File()
     }
 
     // Login OK
+    session_regenerate_id(true);
     $_SESSION['user'] = $username;
     $_SESSION['logged_in'] = true;
     $roles = $user['roles'];

Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,12 @@ function RefreshSession()`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`session_name($g_auth_session_name);`
	`41`	`+ session_set_cookie_params([`
	`42`	`+ 'lifetime' => 0,`
	`43`	`+ 'path' => '/',`
	`44`	`+ 'httponly' => true,`
	`45`	`+ 'samesite' => 'Lax'`
	`46`	`+ ]);`
`41`	`47`	`session_start();`
`42`	`48`	`if (isset($_SESSION["time"]))`
`43`	`49`	`{`
`@@ -107,6 +113,7 @@ function ProcessTokenLogin()`
`107`	`113`	`$token = $_POST['token'];`
`108`	`114`	`if (in_array($token, $g_api_tokens))`
`109`	`115`	`{`
	`116`	`+ session_regenerate_id(true);`
`110`	`117`	`$_SESSION["user"] = $token;`
`111`	`118`	`$_SESSION["logged_in"] = true;`
`112`	`119`	`$_SESSION["token"] = true;`
`@@ -249,6 +256,7 @@ function ProcessLogin_LDAP()`
`249`	`256`	`return;`
`250`	`257`	`}`
`251`	`258`	`}`
	`259`	`+ session_regenerate_id(true);`
`252`	`260`	`$_SESSION['user'] = $login_name;`
`253`	`261`	`$_SESSION['logged_in'] = true;`
`254`	`262`	`$g_logged_in = true;`
`@@ -315,6 +323,7 @@ function ProcessLogin_File()`
`315`	`323`	`}`
`316`	`324`
`317`	`325`	`// Login OK`
	`326`	`+ session_regenerate_id(true);`
`318`	`327`	`$_SESSION['user'] = $username;`
`319`	`328`	`$_SESSION['logged_in'] = true;`
`320`	`329`	`$roles = $user['roles'];`