Commit da71e1a0 authored by Ad Schellevis's avatar Ad Schellevis

(ui) set httponly cookie, closes https://github.com/opnsense/core/issues/897

parent b78720b8
......@@ -168,7 +168,10 @@ function session_auth(&$Login_Error)
);
if (session_status() == PHP_SESSION_NONE) {
session_start();
if (session_start()) {
$sess_name = session_name();
setcookie($sess_name, session_id(), null, '/', null, null, ($config['system']['webgui']['protocol'] == "https"));
}
}
// Detect protocol change
......
......@@ -7,6 +7,7 @@ use Phalcon\Db\Adapter\Pdo\Mysql as DbAdapter;
use Phalcon\Mvc\View\Engine\Volt as VoltEngine;
use Phalcon\Mvc\Model\Metadata\Memory as MetaDataAdapter;
use Phalcon\Session\Adapter\Files as SessionAdapter;
use OPNsense\Core\Config;
/**
* The FactoryDefault Dependency Injector automatically register the right services providing a full stack framework
......@@ -75,6 +76,15 @@ $di->set('modelsMetadata', function () {
$di->setShared('session', function () {
$session = new SessionAdapter();
$session->start();
// Set session response cookie, unfortunalty we need to read the config here to determine if secure option is
// a valid choice.
$cnf = Config::getInstance();
if ((string)$cnf->object()->system->webgui->protocol == 'https') {
$secure = true;
} else {
$secure = false;
}
setcookie(session_name(), session_id(), null, '/', null, $secure, true);
return $session;
});
......
......@@ -34,6 +34,7 @@ use Phalcon\Mvc\Url as UrlResolver;
use Phalcon\Mvc\View;
use Phalcon\Mvc\Model\Metadata\Memory as MetaDataAdapter;
use Phalcon\Session\Adapter\Files as SessionAdapter;
use OPNsense\Core\Config;
/**
* The FactoryDefault Dependency Injector automatically register the right services providing a full stack framework
......@@ -62,6 +63,15 @@ $di->set('url', function () use ($config) {
$di->setShared('session', function () {
$session = new SessionAdapter();
$session->start();
// Set session response cookie, unfortunalty we need to read the config here to determine if secure option is
// a valid choice.
$cnf = Config::getInstance();
if ((string)$cnf->object()->system->webgui->protocol == 'https') {
$secure = true;
} else {
$secure = false;
}
setcookie(session_name(), session_id(), null, '/', null, $secure, true);
return $session;
});
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment