rework last, add Secure/HttpOnly attributes on logout, remove duplicate sessionid cookie

c7786bde · Ad Schellevis · 73dbbcd7 · c7786bde · c7786bde
Commit c7786bde authored Jul 03, 2017 by Ad Schellevis
Show whitespace changes
Inline Side-by-side

Showing with 5 additions and 10 deletions

authgui.inc src/etc/inc/authgui.inc +3 -6

csrf.inc src/www/csrf.inc +2 -4

No files found.
--- a/src/etc/inc/authgui.inc
+++ b/src/etc/inc/authgui.inc
@@ -168,11 +168,7 @@ function session_auth(&$Login_Error)
    );

    if (session_status() == PHP_SESSION_NONE) {
-        if (session_start()) {
-            $sess_name = session_name();
-            $secure = $config['system']['webgui']['protocol'] == "https";
-            setcookie(session_name(), session_id(), null, '/', null, $secure, true);
-        }
+        session_start();
    }

    // Detect protocol change
@@ -265,7 +261,8 @@ function session_auth(&$Login_Error)
        $_SESSION = array();

        if (isset($_COOKIE[session_name()])) {
-            setcookie(session_name(), '', time()-42000, '/');
+            $secure = $config['system']['webgui']['protocol'] == "https";
+            setcookie(session_name(), '', time()-42000, '/', null, $secure, true);
        }

        /* and destroy it */

--- a/src/www/csrf.inc
+++ b/src/www/csrf.inc
@@ -47,10 +47,8 @@ class LegacyCSRF
        if ($this->session == null) {
            $this->session = new Phalcon\Session\Adapter\Files();
            $this->session->start();
-            if (!isset($_COOKIE[session_name()])) {
            $secure = $config['system']['webgui']['protocol'] == 'https';
            setcookie(session_name(), session_id(), null, '/', null, $secure, true);
-            }
            $this->di->setShared('session', $this->session);
        }
    }