lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix samesite for the cookie session timeout

Browse Source
This commit is contained in:
Laurent Destailleur 2022-11-30 12:39:57 +01:00
parent c22d9f282a
commit 80bcb2fd6d
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
htdocs/core/lib/security2.lib.php
View File

@ -191,7 +191,23 @@ if (!function_exists('dol_loginfunction')) {
// and the conf file is loaded.
$prefix = dol_getprefix('');
$sessiontimeout = 'DOLSESSTIMEOUT_'.$prefix;
if (!empty($conf->global->MAIN_SESSION_TIMEOUT)) {
if (PHP_VERSION_ID < 70300) {
session_set_cookie_params(0, '/', null, ((empty($dolibarr_main_force_https) && isHTTPS() === false) ? false : true), true); // Add tag secure and httponly on session cookie (same as setting session.cookie_httponly into php.ini). Must be called before the session_start.
} else {
// Only available for php >= 7.3
$sessioncookieparams = array(
'lifetime' => 0,
'path' => '/',
//'domain' => '.mywebsite.com', // the dot at the beginning allows compatibility with subdomains
'secure' => ((empty($dolibarr_main_force_https) && isHTTPS() === false) ? false : true),
'httponly' => true,
'samesite' => 'Lax' // None || Lax || Strict
);
session_set_cookie_params($sessioncookieparams);
}
setcookie($sessiontimeout, $conf->global->MAIN_SESSION_TIMEOUT, 0, "/", null, (empty($dolibarr_main_force_https) ? false : true), true);
}