csrf/cookie, fix Secure Attribute and align session cookie in authgui.inc

(cherry picked from commit 73dbbcd7) (cherry picked from commit c7786bde)

csrf/cookie, fix Secure Attribute and align session cookie in authgui.inc
(cherry picked from commit 73dbbcd7) (cherry picked from commit c7786bde)
52815848 · Ad Schellevis · Franco Fichtner · abb22624 · 52815848 · 52815848
Commit 52815848 authored Jul 03, 2017 by Ad Schellevis Committed by Franco Fichtner Jul 06, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 5 deletions

authgui.inc src/etc/inc/authgui.inc +3 -5

csrf.inc src/www/csrf.inc +1 -0

No files found.
--- a/src/etc/inc/authgui.inc
+++ b/src/etc/inc/authgui.inc
@@ -168,10 +168,7 @@ function session_auth(&$Login_Error)
    );

    if (session_status() == PHP_SESSION_NONE) {
-        if (session_start()) {
-            $sess_name = session_name();
-            setcookie($sess_name, session_id(), null, '/', null, null, ($config['system']['webgui']['protocol'] == "https"));
-        }
+        session_start();
    }

    // Detect protocol change
@@ -264,7 +261,8 @@ function session_auth(&$Login_Error)
        $_SESSION = array();

        if (isset($_COOKIE[session_name()])) {
-            setcookie(session_name(), '', time()-42000, '/');
+            $secure = $config['system']['webgui']['protocol'] == "https";
+            setcookie(session_name(), '', time()-42000, '/', null, $secure, true);
        }

        /* and destroy it */

--- a/src/www/csrf.inc
+++ b/src/www/csrf.inc
@@ -43,6 +43,7 @@ class LegacyCSRF

    private function Session()
    {
+        global $config;
        if ($this->session == null) {
            $this->session = new Phalcon\Session\Adapter\Files();
            $this->session->start();