Use generic session name and __Host- prefix for improved security (bf71551)

Use generic session name and __Host- prefix for improved security

Hanno Böck commited on 2024-03-11 14:39:39
Zeige 2 geänderte Dateien mit 4 Einfügungen und 2 Löschungen.

config.sample.php b3d0d36..dc9a2e5
session/start.php e7a2f72..51bd15b

config.sample.php

@@ -33,7 +33,6 @@ $config['logging'] = LOG_ERR;
 
 $config['mime_type'] = 'text/html';
 
-$config['session_name'] = 'CONFIG_SCHOKOKEKS_ORG';
 $config['theme'] = 'default';
 
 ini_set('display_errors', 'On');

session/start.php

Zeige Datei @ bf71551

@@ -11,7 +11,10 @@ require_once('inc/debug.php');
 
 require_once('inc/base.php');
 
-session_name(config('session_name'));
+// __Host- prefix guarantees secure cookie that cannot be
+// overwritten by other hosts:
+// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis
+session_name('__Host-CONFIG_INTERFACE');
 
 session_set_cookie_params(['path' => '/', 'secure' => true,
                                 'httponly' => true, 'samesite' => 'Lax', ]);


...	...	@@ -33,7 +33,6 @@ $config['logging'] = LOG_ERR;
33	33
34	34	$config['mime_type'] = 'text/html';
35	35
36		-$config['session_name'] = 'CONFIG_SCHOKOKEKS_ORG';
37	36	$config['theme'] = 'default';
38	37
39	38	ini_set('display_errors', 'On');

...	...	@@ -11,7 +11,10 @@ require_once('inc/debug.php');
11	11
12	12	require_once('inc/base.php');
13	13
14		-session_name(config('session_name'));
	14	+// __Host- prefix guarantees secure cookie that cannot be
	15	+// overwritten by other hosts:
	16	+// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis
	17	+session_name('__Host-CONFIG_INTERFACE');
15	18
16	19	session_set_cookie_params(['path' => '/', 'secure' => true,
17	20	'httponly' => true, 'samesite' => 'Lax', ]);
18	21

webinterface.git