update session.php

2025-08-17 10:53:13 +02:00 · 2025-08-16 22:02:57 +02:00 · 2025-08-16 22:02:57 +02:00 · f3103fa84e
commit f3103fa84e
parent 9e79d225fa
2 changed files with 30 additions and 30 deletions
--- a/include/main.php
+++ b/include/main.php
@ -49,7 +49,7 @@ if (session_status() == PHP_SESSION_NONE) {
            error_log("session_start() FAILED.");
 			die("Session could not be started.");
        } else {
-            error_log("session_start() SUCCEEDED. Session ID: " . session_id());
+            error_log("session_start() SUCCEEDED ");
        }
    }

--- a/include/tool/Session.php
+++ b/include/tool/Session.php
@ -431,41 +431,41 @@ class Session{
 	 * Attempt to use httponly if available
 	 *
 	 */
-	public static function Cookie($name, $value='', $expires = false){
-		global $dirPrefix;
+	public static function Cookie($name, $value='', $expires = false) {
+    global $dirPrefix;

-		$cookiePath		= empty($dirPrefix) ? '/' : $dirPrefix;
-		$cookiePath		= \gp\tool::HrefEncode($cookiePath, false);
-		$secure			= (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on');
-		$domain			= \gp\tool::ServerName(true);
+    $cookiePath = empty($dirPrefix) ? '/' : $dirPrefix;
+    $cookiePath = \gp\tool::HrefEncode($cookiePath, false);
+    $secure     = (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on');
+    $domain     = \gp\tool::ServerName(true);

-		if( !$domain || strpos($domain, '.') === false ){
-			$domain = '';
-		}
+    if( !$domain || strpos($domain, '.') === false ) {
+        $domain = '';
+    }
+    if (strpos($domain, ':') !== false) {
+        $domain = substr($domain, 0, strrpos($domain, ':'));
+    }

-		if( strpos($domain, ':') !== false ){
-			$domain = substr($domain, 0, strrpos($domain, ':'));
-		}
+    // Default expiration: 30 days
+    $expiry = ($expires === false) ? time()+2592000 // 30 days
+            : (($expires === true) ? 0 // session cookie
+            : $expires);

-		// expire if value is empty
-		// cookies are set with either www removed from the domain or with an empty string
-		if( empty($value) ){
-			$expires = time()-2592000;
-			setcookie($name, $value, $expires, $cookiePath, $domain, $secure, true);
-			setcookie($name, $value, $expires, $cookiePath, $domain, false, true);
-			return;
-		}
+    $options = [        'expires'  => $expiry,
+        'path'     => $cookiePath,
+        'domain'   => $domain,
+        'secure'   => $secure,
+        'httponly' => true,
+        'samesite' => 'Strict', // Or 'Lax'
+    ];

+    // If we want to delete the cookie, set expiry to the past
+    if (empty($value)) {
+        $options['expires'] = time()-3600;
+    }

-		// get expiration and set
-		if( $expires === false ){
-			$expires = time()+2592000; //30 days
-		}elseif( $expires === true ){
-			$expires = 0; //expire at end of session
-		}
-
-		setcookie($name, $value, $expires, $cookiePath, $domain, $secure, true);
-	}
+    setcookie($name, $value, $options);
+    }