csrf/cookie, fix Secure Attribute and align session cookie in authgui.inc

src/etc/inc/authgui.inc

@@ -170,7 +170,8 @@ function session_auth(&$Login_Error)
     if (session_status() == PHP_SESSION_NONE) {
         if (session_start()) {
             $sess_name = session_name();
-            setcookie($sess_name, session_id(), null, '/', null, null, ($config['system']['webgui']['protocol'] == "https"));
+            $secure = $config['system']['webgui']['protocol'] == "https";
+            setcookie(session_name(), session_id(), null, '/', null, $secure, true);
         }
     }
 

src/www/csrf.inc

@@ -43,11 +43,14 @@ class LegacyCSRF
 
     private function Session()
     {
+        global $config;
         if ($this->session == null) {
             $this->session = new Phalcon\Session\Adapter\Files();
             $this->session->start();
-            $secure = $config['system']['webgui']['protocol'] == 'https';
-            setcookie(session_name(), session_id(), null, '/', null, $secure, true);
+            if (!isset($_COOKIE[session_name()])) {
+                $secure = $config['system']['webgui']['protocol'] == 'https';
+                setcookie(session_name(), session_id(), null, '/', null, $secure, true);
+            }
             $this->di->setShared('session', $this->session);
         }
     }