From 1b3d232dbe20a26582cd26836a162075cdae16f1 Mon Sep 17 00:00:00 2001 From: Max Pozdeev Date: Mon, 20 Sep 2021 17:34:36 +0300 Subject: [PATCH] * add samesite=lax flag for session cookie (cherry picked from commit ea2ace9066f6db069c71701cf33a3814ce7e0930) --- src/init.php | 35 ++++++++++++++++++++++++++--------- 1 file changed, 26 insertions(+), 9 deletions(-) diff --git a/src/init.php b/src/init.php index 30f7fa3..50f3d81 100644 --- a/src/init.php +++ b/src/init.php @@ -90,15 +90,8 @@ Lang::loadLang( Config::get('lang') ); $_mttinfo = array(); -if (need_auth() && !isset($dontStartSession)) -{ - require_once(MTTINC. 'class.sessionhandler.php'); - session_set_save_handler(new MTTSessionHandler()); - ini_set('session.use_cookies', true); - ini_set('session.use_only_cookies', true); - session_set_cookie_params(5184000, url_dir(Config::get('url')=='' ? getRequestUri() : Config::getUrl('url')), null, null, true); # 60 days session cookie lifetime (httponly) - session_name('mtt-session'); - session_start(); +if (need_auth() && !isset($dontStartSession)) { + setup_and_start_session(); } function need_auth() @@ -137,6 +130,30 @@ function check_token() } } +function setup_and_start_session() +{ + ini_set('session.use_cookies', true); + ini_set('session.use_only_cookies', true); + + $lifetime = 5184000; # 60 days session cookie lifetime + $path = url_dir(Config::get('url')=='' ? getRequestUri() : Config::getUrl('url')); + $samesite = 'lax'; + + if (PHP_VERSION_ID < 70300) { + # this is a known samesite flag workaround, was fixed in 7.3 + session_set_cookie_params($lifetime, $path. '; samesite='.$samesite, null, null, true); + } else { + session_set_cookie_params(Array( + 'lifetime' => $lifetime, + 'path' => $path, + 'httponly' => true, + 'samesite' => $samesite + )); + } + session_name('mtt-session'); + session_start(); +} + function timestampToDatetime($timestamp) { $format = Config::get('dateformat') .' '. (Config::get('clock') == 12 ? 'g:i A' : 'H:i');