Added new uniqueness option to optionally use security.salt

2026-05-07 10:17:16 +02:00 · 2018-11-04 15:50:03 -07:00
parent 64b0fd7e86
commit 3c2a8510f9
3 changed files with 17 additions and 2 deletions
--- a/system/blueprints/config/system.yaml
+++ b/system/blueprints/config/system.yaml
@@ -1132,6 +1132,17 @@ form:
                            label: PLUGIN_ADMIN.NAME
                            help: PLUGIN_ADMIN.SESSION_NAME_HELP

+                        session.uniqueness:
+                            type: select
+                            size: medium
+                            label: PLUGIN_ADMIN.SESSION_UNIQUENESS
+                            help: PLUGIN_ADMIN.SESSION_UNIQUENESS_HELP
+                            highlight: path
+                            default: path
+                            options:
+                                path: Grav's root file path
+                                salt: Grav's random security salt
+
                        session.secure:
                            type: toggle
                            label: PLUGIN_ADMIN.SESSION_SECURE
--- a/system/config/system.yaml
+++ b/system/config/system.yaml
@@ -143,6 +143,7 @@ session:
  initialize: true                               # Initialize session from Grav (if false, plugin needs to start the session)
  timeout: 1800                                  # Timeout in seconds
  name: grav-site                                # Name prefix of the session cookie. Use alphanumeric, dashes or underscores only. Do not use dots in the session name
+  uniqueness: path                               # Should sessions be `path` based or `security.salt` based
  secure: false                                  # Set session secure. If true, indicates that communication for this cookie must be over an encrypted transmission. Enable this only on sites that run exclusively on HTTPS
  httponly: true                                 # Set session HTTP only. If true, indicates that cookies should be used only over HTTP, and JavaScript modification is not allowed.
  split: true                                    # Sessions should be independent between site and plugins (such as admin)
--- a/system/src/Grav/Common/Service/SessionServiceProvider.php
+++ b/system/src/Grav/Common/Service/SessionServiceProvider.php
@@ -67,8 +67,11 @@ class SessionServiceProvider implements ServiceProviderInterface
                $cookie_lifetime = 9999999999;
            }

-            $inflector = new Inflector();
-            $session_name = $inflector->hyphenize($config->get('system.session.name', 'grav-site')) . '-' . md5($config->get('security.salt'));
+            $session_prefix = $c['inflector']->hyphenize($config->get('system.session.name', 'grav-site'));
+            $session_uniqueness = $config->get('system.session.uniqueness', 'path') === 'path' ?  substr(md5(GRAV_ROOT), 0, 7) :  md5($config->get('security.salt'));
+
+            $session_name = $session_prefix . '-' . $session_uniqueness;
+
            if ($is_admin && $config->get('system.session.split', true)) {
                $session_name .= '-admin';
            }