From 3698afb8a6dc9608347bc0dfa869b303b8e9b8aa Mon Sep 17 00:00:00 2001 From: Flavio Copes Date: Tue, 22 Dec 2015 17:03:39 +0100 Subject: [PATCH 1/2] Add secure and httponly parameters to sessions --- system/blueprints/config/system.yaml | 23 +++++++++++++++++++++++ system/config/system.yaml | 4 ++-- system/src/Grav/Common/Session.php | 8 +++++--- 3 files changed, 30 insertions(+), 5 deletions(-) diff --git a/system/blueprints/config/system.yaml b/system/blueprints/config/system.yaml index 69e8ec7a5..45bb3a583 100644 --- a/system/blueprints/config/system.yaml +++ b/system/blueprints/config/system.yaml @@ -793,6 +793,29 @@ form: label: PLUGIN_ADMIN.NAME help: PLUGIN_ADMIN.SESSION_NAME_HELP + session.secure: + type: toggle + label: PLUGIN_ADMIN.SESSION_SECURE + help: PLUGIN_ADMIN.SESSION_SECURE_HELP + highlight: 1 + options: + 1: PLUGIN_ADMIN.YES + 0: PLUGIN_ADMIN.NO + default: false + validate: + type: bool + + session.httponly: + type: toggle + label: PLUGIN_ADMIN.SESSION_HTTPONLY + help: PLUGIN_ADMIN.SESSION_HTTPONLY_HELP + highlight: 1 + options: + 1: PLUGIN_ADMIN.YES + 0: PLUGIN_ADMIN.NO + default: true + validate: + type: bool advanced: type: section diff --git a/system/config/system.yaml b/system/config/system.yaml index 846ec740d..88632f4c9 100644 --- a/system/config/system.yaml +++ b/system/config/system.yaml @@ -110,5 +110,5 @@ session: enabled: true # Enable Session support timeout: 1800 # Timeout in seconds name: grav-site # Name prefix of the session cookie. Use alphanumeric, dashes or underscores only. Do not use dots in the session name - - + secure: false # Set session secure. If true, indicates that communication for this cookie must be over an encrypted transmission. Enable this only on sites that run exclusively on HTTPS + httponly: true # Set session HTTP only. If true, indicates that cookies should be used only over HTTP, and JavaScript modification is not allowed. \ No newline at end of file diff --git a/system/src/Grav/Common/Session.php b/system/src/Grav/Common/Session.php index 5be15ec35..1266d3ccb 100644 --- a/system/src/Grav/Common/Session.php +++ b/system/src/Grav/Common/Session.php @@ -36,18 +36,20 @@ class Session extends \RocketTheme\Toolbox\Session\Session } if ($config->get('system.session.enabled') || $is_admin) { - - // Define session service. parent::__construct( $session_timeout, $session_path ); + $domain = ($_SERVER['HTTP_HOST'] != 'localhost') ? $_SERVER['HTTP_HOST'] : false; + $secure = $config->get('system.session.secure', false); + $httponly = $config->get('system.session.httponly', true); + $unique_identifier = GRAV_ROOT; $this->setName($config->get('system.session.name', 'grav_site') . '-' . substr(md5($unique_identifier), 0, 7) . ($is_admin ? '-admin' : '')); $this->start(); - setcookie(session_name(), session_id(), time() + $session_timeout, $session_path); + setcookie(session_name(), session_id(), time() + $session_timeout, $session_path, $domain, $secure, $httponly); } } } From efded08d6efc52b2df63357fa08ed4b38b6ca59f Mon Sep 17 00:00:00 2001 From: Flavio Copes Date: Wed, 23 Dec 2015 09:18:27 +0100 Subject: [PATCH 2/2] Uses Uri::host() to calculate the host. If localhost, set it to '' Now also works with Chrome on localhost SSL sites. The problem was, Chrome on Localhost wants the domain to be `""` or `false` even if the site is accessed with another domain name. Worked fine in other browsers. --- system/src/Grav/Common/Session.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/system/src/Grav/Common/Session.php b/system/src/Grav/Common/Session.php index 1266d3ccb..bb34d3b2c 100644 --- a/system/src/Grav/Common/Session.php +++ b/system/src/Grav/Common/Session.php @@ -42,7 +42,10 @@ class Session extends \RocketTheme\Toolbox\Session\Session $session_path ); - $domain = ($_SERVER['HTTP_HOST'] != 'localhost') ? $_SERVER['HTTP_HOST'] : false; + $domain = $uri->host(); + if ($domain == 'localhost') { + $domain = ''; + } $secure = $config->get('system.session.secure', false); $httponly = $config->get('system.session.httponly', true);