From 67b8fa97a40c6d74856f76da113965747504c492 Mon Sep 17 00:00:00 2001
From: Kazhnuz <kazhnuz@kobold.cafe>
Date: Sat, 23 Aug 2025 01:09:03 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F=20Improve=20cookie=20secu?=
 =?UTF-8?q?rity?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes #42
---
 bl-kernel/helpers/session.class.php | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/bl-kernel/helpers/session.class.php b/bl-kernel/helpers/session.class.php
index 7d59151e..50f80244 100644
--- a/bl-kernel/helpers/session.class.php
+++ b/bl-kernel/helpers/session.class.php
@@ -5,6 +5,11 @@ class Session {
 	private static $started = false;
 	private static $sessionName = 'KOBLOG-KEY';
 
+	public static function getSessionName()
+	{
+		return (array_key_exists('HTTPS', $_SERVER) ? "__Secure-" : "") . self::$sessionName;
+	}
+
 	public static function start($path, $secure)
 	{
 		// Try to set the session timeout on server side, 1 hour of timeout
@@ -26,11 +31,12 @@ class Session {
             'path' => $path,
             'domain' => $cookieParams["domain"],
             'secure' => $secure,
-            'httponly' => true
+            'httponly' => true,
+			'samesite' => 'strict'
         ]);
 
 		// Sets the session name to the one set above.
-		session_name(self::$sessionName);
+		session_name(self::getSessionName());
 
 		// Start session.
 		self::$started = session_start();
@@ -52,8 +58,8 @@ class Session {
 	{
 		session_destroy();
 		unset($_SESSION);
-		unset($_COOKIE[self::$sessionName]);
-		Cookie::set(self::$sessionName, '', -1);
+		unset($_COOKIE[self::getSessionName()]);
+		Cookie::set(self::getSessionName(), '', -1);
 		self::$started = false;
 		Log::set(__METHOD__.LOG_SEP.'Session destroyed.');
 		return !isset($_SESSION);