Changeset 784 for trunk

Timestamp:

Mar 6, 2023 8:19:36 PM (14 months ago)

Author:

anonymous

Message:

Allow setting cookie_path

Location:

trunk

Files:

• lib/App.inc.php (modified) (2 diffs)
• lib/Prefs.inc.php (modified) (1 diff)
• services/login.php (modified) (1 diff)

trunk/lib/App.inc.php

@@ -133 +133 @@
         // Use php sessions?
         'enable_session' => false,
+        'session_cache_limiter' => 'nocache', //Session cache-control header: `nocache`, `private`, `private_no_expire`, or `public`. Defaults to `nocache`.
+        'session_cookie_path' => '/',
         'session_name' => '_session',
         'session_use_cookies' => true,
-
-        // Pass the session-id through URLs if cookies are not enabled?
-        // Disable this to prevent session ID theft.
-        'session_use_trans_sid' => false,
+        'session_use_trans_sid' => false, // Pass the session-id through URLs if cookies are not enabled? Disable this to prevent session ID theft.
 
         // Use database?
@@ -498 +497 @@
             // Session parameters.
             // https://www.php.net/manual/en/session.security.ini.php
+            // TODO: Reliance on gc_maxlifetime is not recommended. Developers should manage the lifetime of sessions with a timestamp by themselves.
+            ini_set('session.gc_maxlifetime', 604800); // 7 days.
+            ini_set('session.cookie_lifetime', 604800); // 7 days.
+            ini_set('session.cache_limiter', $this->getParam('session_cache_limiter'));
             ini_set('session.cookie_httponly', true);
+            ini_set('session.cookie_path', $this->getParam('session_cookie_path'));
+            ini_set('session.cookie_samesite', 'Strict'); // Only PHP >= 7.3
             ini_set('session.cookie_secure', getenv('HTTPS') == 'on');
-            ini_set('session.cookie_samesite', 'Strict'); // Only PHP >= 7.3
-            // TODO: Reliance on gc_maxlifetime is not recommended. Developers should manage the lifetime of sessions with a timestamp by themselves.
-            ini_set('session.cookie_lifetime', 604800); // 7 days.
-            ini_set('session.gc_maxlifetime', 604800); // 7 days.
+            ini_set('session.entropy_file', '/dev/urandom');
+            ini_set('session.entropy_length', '512');
             ini_set('session.gc_divisor', 1000);
             ini_set('session.gc_probability', 1);
+            ini_set('session.sid_length', '48'); // Only PHP >= 7.1
             ini_set('session.use_cookies', $this->getParam('session_use_cookies'));
-            ini_set('session.use_only_cookies', true);
-            ini_set('session.use_trans_sid', false);
+            ini_set('session.use_only_cookies', $this->getParam('session_use_cookies'));
             ini_set('session.use_strict_mode', true);
-            ini_set('session.entropy_file', '/dev/urandom');
-            ini_set('session.entropy_length', '512');
-            ini_set('session.sid_length', '48'); // Only PHP >= 7.1
-            ini_set('session.cache_limiter', 'nocache');
+            ini_set('session.use_trans_sid', $this->getParam('session_use_trans_sid'));
             if ('' != $this->getParam('session_dir') && is_dir($this->getParam('session_dir'))) {
                 ini_set('session.save_path', $this->getParam('session_dir'));

trunk/lib/Prefs.inc.php

@@ -76 +76 @@
 
         // The path on the server in which the cookie will be available on.
-        'cookie_path' => null,
+        'cookie_path' => '/',
 
         // The domain that the cookie is available to.

trunk/services/login.php

@@ -48 +48 @@
 require_once 'codebase/lib/Prefs.inc.php';
 $login_prefs = new Prefs('login');
-$login_prefs->setParam(array('storagetype' => 'cookie'));
+$login_prefs->setParam(array('storagetype' => 'cookie', 'cookie_path' => $app->getParam('session_cookie_path')));
 
 $frm['username'] = getFormdata('username', $login_prefs->get('username'));