Browse code

Samesite-Cookies an (CSRF-Protection), check auf HTTPS raus, wir unterstützen nur noch HTTPS

Hanno Böck authored on07/09/2019 19:29:58
Showing1 changed files
... ...
@@ -13,9 +13,8 @@ require_once('inc/base.php');
13 13
 
14 14
 session_name(config('session_name'));
15 15
 
16
-if ($_SERVER['HTTPS']) {
17
-    session_set_cookie_params(0, '/', '', true, true);
18
-}
16
+session_set_cookie_params(array('path' => '/', 'secure' => true,
17
+                                'httponly' => true, 'samesite' => 'Lax'));
19 18
 
20 19
 if (!session_start()) {
21 20
     logger(LOG_ERR, "session/start", "session", "Die session konnte nicht gestartet werden!");