Changeset 784
- Timestamp:
- Mar 6, 2023 8:19:36 PM (14 months ago)
- Location:
- trunk
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/lib/App.inc.php
r782 r784 133 133 // Use php sessions? 134 134 'enable_session' => false, 135 'session_cache_limiter' => 'nocache', //Session cache-control header: `nocache`, `private`, `private_no_expire`, or `public`. Defaults to `nocache`. 136 'session_cookie_path' => '/', 135 137 'session_name' => '_session', 136 138 'session_use_cookies' => true, 137 138 // Pass the session-id through URLs if cookies are not enabled? 139 // Disable this to prevent session ID theft. 140 'session_use_trans_sid' => false, 139 'session_use_trans_sid' => false, // Pass the session-id through URLs if cookies are not enabled? Disable this to prevent session ID theft. 141 140 142 141 // Use database? … … 498 497 // Session parameters. 499 498 // https://www.php.net/manual/en/session.security.ini.php 499 // TODO: Reliance on gc_maxlifetime is not recommended. Developers should manage the lifetime of sessions with a timestamp by themselves. 500 ini_set('session.gc_maxlifetime', 604800); // 7 days. 501 ini_set('session.cookie_lifetime', 604800); // 7 days. 502 ini_set('session.cache_limiter', $this->getParam('session_cache_limiter')); 500 503 ini_set('session.cookie_httponly', true); 504 ini_set('session.cookie_path', $this->getParam('session_cookie_path')); 505 ini_set('session.cookie_samesite', 'Strict'); // Only PHP >= 7.3 501 506 ini_set('session.cookie_secure', getenv('HTTPS') == 'on'); 502 ini_set('session.cookie_samesite', 'Strict'); // Only PHP >= 7.3 503 // TODO: Reliance on gc_maxlifetime is not recommended. Developers should manage the lifetime of sessions with a timestamp by themselves. 504 ini_set('session.cookie_lifetime', 604800); // 7 days. 505 ini_set('session.gc_maxlifetime', 604800); // 7 days. 507 ini_set('session.entropy_file', '/dev/urandom'); 508 ini_set('session.entropy_length', '512'); 506 509 ini_set('session.gc_divisor', 1000); 507 510 ini_set('session.gc_probability', 1); 511 ini_set('session.sid_length', '48'); // Only PHP >= 7.1 508 512 ini_set('session.use_cookies', $this->getParam('session_use_cookies')); 509 ini_set('session.use_only_cookies', true); 510 ini_set('session.use_trans_sid', false); 513 ini_set('session.use_only_cookies', $this->getParam('session_use_cookies')); 511 514 ini_set('session.use_strict_mode', true); 512 ini_set('session.entropy_file', '/dev/urandom'); 513 ini_set('session.entropy_length', '512'); 514 ini_set('session.sid_length', '48'); // Only PHP >= 7.1 515 ini_set('session.cache_limiter', 'nocache'); 515 ini_set('session.use_trans_sid', $this->getParam('session_use_trans_sid')); 516 516 if ('' != $this->getParam('session_dir') && is_dir($this->getParam('session_dir'))) { 517 517 ini_set('session.save_path', $this->getParam('session_dir')); -
trunk/lib/Prefs.inc.php
r740 r784 76 76 77 77 // The path on the server in which the cookie will be available on. 78 'cookie_path' => null,78 'cookie_path' => '/', 79 79 80 80 // The domain that the cookie is available to. -
trunk/services/login.php
r767 r784 48 48 require_once 'codebase/lib/Prefs.inc.php'; 49 49 $login_prefs = new Prefs('login'); 50 $login_prefs->setParam(array('storagetype' => 'cookie' ));50 $login_prefs->setParam(array('storagetype' => 'cookie', 'cookie_path' => $app->getParam('session_cookie_path'))); 51 51 52 52 $frm['username'] = getFormdata('username', $login_prefs->get('username'));
Note: See TracChangeset
for help on using the changeset viewer.