kazhnuz/koblog
1
0
Fork 0
Code Issues 30 Pull requests Projects 3 Releases Packages Wiki Activity Actions

🔒️ Improve cookie security

Browse source 
Fixes #42
This commit is contained in:
Kazhnuz 2025-08-23 01:09:03 +02:00
parent b261ecce60
commit 67b8fa97a4
1 changed files with 10 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
bl-kernel/helpers/session.class.php
View file

@ -5,6 +5,11 @@ class Session {
private static $started = false; private static $started = false;
private static $sessionName = 'KOBLOG-KEY'; private static $sessionName = 'KOBLOG-KEY';
public static function getSessionName()
{
return (array_key_exists('HTTPS', $_SERVER) ? "__Secure-" : "") . self::$sessionName;
}
public static function start($path, $secure) public static function start($path, $secure)
{ {
// Try to set the session timeout on server side, 1 hour of timeout // Try to set the session timeout on server side, 1 hour of timeout
@ -26,11 +31,12 @@ class Session {
'path' => $path, 'path' => $path,
'domain' => $cookieParams["domain"], 'domain' => $cookieParams["domain"],
'secure' => $secure, 'secure' => $secure,
'httponly' => true 'httponly' => true,
'samesite' => 'strict'
]); ]);
// Sets the session name to the one set above. // Sets the session name to the one set above.
session_name(self::$sessionName); session_name(self::getSessionName());
// Start session. // Start session.
self::$started = session_start(); self::$started = session_start();
@ -52,8 +58,8 @@ class Session {
{ {
session_destroy(); session_destroy();
unset($_SESSION); unset($_SESSION);
unset($_COOKIE[self::$sessionName]); unset($_COOKIE[self::getSessionName()]);
Cookie::set(self::$sessionName, '', -1); Cookie::set(self::getSessionName(), '', -1);
self::$started = false; self::$started = false;
Log::set(__METHOD__.LOG_SEP.'Session destroyed.'); Log::set(__METHOD__.LOG_SEP.'Session destroyed.');
return !isset($_SESSION); return !isset($_SESSION);