Improve session config and cookie store (part of #7685)#7689
Improve session config and cookie store (part of #7685)#7689
Conversation
Signed-off-by: Zoey <zoey@z0ey.de>
| ini_set('session.save_path', $dataConst->GetSessionDirectory()); | ||
|
|
||
| // Auto logout on browser close | ||
| ini_set('session.cookie_lifetime', '0'); |
There was a problem hiding this comment.
I removed this since it is the default
|
|
||
| $container = \AIO\DependencyInjection::GetContainer(); | ||
| $dataConst = $container->get(\AIO\Data\DataConst::class); | ||
| ini_set('session.save_path', $dataConst->GetSessionDirectory()); |
There was a problem hiding this comment.
moved to session_start
| ini_set('session.cookie_lifetime', '0'); | ||
|
|
||
| # Keep session for 24h max | ||
| ini_set('session.gc_maxlifetime', '86400'); |
There was a problem hiding this comment.
moved to session_start
php/public/index.php
Outdated
| "use_strict_mode" => true, | ||
| "cookie_secure" => true, | ||
| "cookie_httponly" => true, | ||
| "cookie_samesite" => "Strict", |
There was a problem hiding this comment.
I'm not sure if Strict or Lax should be used. Lax works in any case. But strict should be perefferd, see here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value
There was a problem hiding this comment.
Strict should work, so let's use that, please. I would consider anything that breaks using Strict a bug.
php/public/index.php
Outdated
| "gc_divisor" => 1, | ||
| "use_strict_mode" => true, | ||
| "cookie_secure" => true, | ||
| "cookie_httponly" => true, |
There was a problem hiding this comment.
since the browser/frontend never access the token with javascript this will make the token to be only send with https requests, while blocking javascript from reading it
There was a problem hiding this comment.
Since a short while we do fetch() some data from Javascript, so we need the cookie in JS, too, please.
There was a problem hiding this comment.
I think you have a small missunderstanding here, even with httponly set, the cookie will still be sent for fetch request. httponly, only means that the js cannot read the cookie, it will still be sent for all matching http(s) requests truggered by js
There was a problem hiding this comment.
There was a problem hiding this comment.
You are right, I wasn't concentrating. Sorry & thank you!
php/public/index.php
Outdated
| "gc_probability" => 1, | ||
| "gc_divisor" => 1, | ||
| "use_strict_mode" => true, | ||
| "cookie_secure" => true, |
There was a problem hiding this comment.
this makes the cookie be only send over https, but not http
php/public/index.php
Outdated
| "gc_maxlifetime" => 86400, | ||
| "gc_probability" => 1, | ||
| "gc_divisor" => 1, | ||
| "use_strict_mode" => true, |
There was a problem hiding this comment.
this is recommended by php. https://www.php.net/manual/en/session.configuration.php#ini.session.use-strict-mode
php/public/index.php
Outdated
| "gc_maxlifetime" => 86400, | ||
| "gc_probability" => 1, | ||
| "gc_divisor" => 1, |
There was a problem hiding this comment.
In the past only gc_maxlifetime was set. It controls after which time a session may be deleted. The comment said "Keep session for 24h max", but this is wrong. If only gc_maxlifetime is changed but not gc_probability/gc_divisor it only means that a session can be deleted after 24 hours with a chance of 1%. Setting gc_probability/gc_divisor both to 1 means that the session will be deleted to 100% after 24 hours
https://www.php.net/manual/en/session.configuration.php#ini.session.gc-probability
szaimen
added
2. developing
Signed-off-by: Zoey <zoey@z0ey.de>
done |
3 participants
No description provided.