diff options
| author | Christian Schneider | 2019-09-10 13:38:23 +0200 |
|---|---|---|
| committer | Christian Schneider | 2019-09-10 13:38:23 +0200 |
| commit | 7cacb3fbd49cdd5b960242e5c988e94d823eae67 (patch) | |
| tree | bc6d6112460ee3847fb5eec14ba81a293c3fca5a | |
| parent | 3148b14a68af96bbf05db8d879d1072cab3b9455 (diff) | |
| download | itools-7cacb3fbd49cdd5b960242e5c988e94d823eae67.tar.gz itools-7cacb3fbd49cdd5b960242e5c988e94d823eae67.tar.bz2 itools-7cacb3fbd49cdd5b960242e5c988e94d823eae67.zip | |
New it_session::setcookie() which uses SameSite=Lax
| -rw-r--r-- | it_session.class | 16 | ||||
| -rw-r--r-- | it_user.class | 2 |
2 files changed, 15 insertions, 3 deletions
diff --git a/it_session.class b/it_session.class index f1dc541..866e197 100644 --- a/it_session.class +++ b/it_session.class @@ -165,7 +165,7 @@ function set_valid($valid = true, $login_identifier_required = false, $login_ide $result = !$valid; /* Setting to invalid succeeded or setting to valid failed */ } - @setcookie($this->cookiename, $this->cookie, _IT_SESSION_COOKIE_EXPIRY, "/", $this->domain, $this->ssl, true); + self::setcookie([ 'name' => $this->cookiename, 'value' => $this->cookie, 'expires' => _IT_SESSION_COOKIE_EXPIRY, 'domain' => $this->domain, 'secure' => $this->ssl ]); $_COOKIE[$this->cookiename] = $this->cookie; return $result; @@ -190,7 +190,7 @@ function create_login_identifier() if (!$this->cookie) { $this->cookie = md5(uniqid(rand())); /* random garbage */ - @setcookie($this->cookiename, $this->cookie, _IT_SESSION_COOKIE_EXPIRY, "/", $this->domain, $this->ssl, true); + self::setcookie([ 'name' => $this->cookiename, 'value' => $this->cookie, 'expires' => _IT_SESSION_COOKIE_EXPIRY, 'domain' => $this->domain, 'secure' => $this->ssl ]); } $login_identifier = $this->_mkcookie("", $this->cookie); @@ -240,6 +240,18 @@ function check_signature($text, $signature) ($this->_sign($text, $this->prev) == $signature)); } +/* + * Set cookie with options as safe as possible for session + * @param $p['name'] Name of cookie + * @param $p['value'] Value of cookie + * @param $p Other options: expires, path, domain, secure, httponly and samesite + */ +static function setcookie($p) +{ + $p += [ 'path' => '/', 'httponly' => true, 'samesite' => 'Lax' ]; + return version_compare(PHP_VERSION, '7.3.0') >= 0 ? @setcookie($p['name'], $p['value'], $p) : @setcookie($p['name'], $p['value'], $p['expires'], $p['path'], $p['domain'], $p['secure'], $p['httponly']); +} + } /* End class it_user */ ?> diff --git a/it_user.class b/it_user.class index 26046cf..a972130 100644 --- a/it_user.class +++ b/it_user.class @@ -205,7 +205,7 @@ function _set_uid($uid) if (!isset($_COOKIE[$this->p['uidcookiename']]) || ($_COOKIE[$this->p['uidcookiename']] != $uid)) { - @setcookie($this->p['uidcookiename'], $uid, _IT_USER_UID_COOKIE_LIFETIME, "/", $this->domain, false, true); + it_session::setcookie([ 'name' => $this->p['uidcookiename'], 'value' => $uid, 'expires' => _IT_USER_UID_COOKIE_LIFETIME, 'domain' => $this->domain, 'secure' => false ]); $_COOKIE[$this->p['uidcookiename']] = $uid; } } |