From f3103fa84e4278a8a3b152bf044c8f11b1322107 Mon Sep 17 00:00:00 2001 From: gtbu Date: Sat, 16 Aug 2025 22:02:57 +0200 Subject: [PATCH] update session.php --- include/main.php | 2 +- include/tool/Session.php | 58 ++++++++++++++++++++-------------------- 2 files changed, 30 insertions(+), 30 deletions(-) diff --git a/include/main.php b/include/main.php index 3ced801..7b22a3a 100644 --- a/include/main.php +++ b/include/main.php @@ -49,7 +49,7 @@ if (session_status() == PHP_SESSION_NONE) { error_log("session_start() FAILED."); die("Session could not be started."); } else { - error_log("session_start() SUCCEEDED. Session ID: " . session_id()); + error_log("session_start() SUCCEEDED "); } } diff --git a/include/tool/Session.php b/include/tool/Session.php index c53258d..f6effc7 100644 --- a/include/tool/Session.php +++ b/include/tool/Session.php @@ -431,41 +431,41 @@ class Session{ * Attempt to use httponly if available * */ - public static function Cookie($name, $value='', $expires = false){ - global $dirPrefix; + public static function Cookie($name, $value='', $expires = false) { + global $dirPrefix; - $cookiePath = empty($dirPrefix) ? '/' : $dirPrefix; - $cookiePath = \gp\tool::HrefEncode($cookiePath, false); - $secure = (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on'); - $domain = \gp\tool::ServerName(true); + $cookiePath = empty($dirPrefix) ? '/' : $dirPrefix; + $cookiePath = \gp\tool::HrefEncode($cookiePath, false); + $secure = (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on'); + $domain = \gp\tool::ServerName(true); - if( !$domain || strpos($domain, '.') === false ){ - $domain = ''; - } + if( !$domain || strpos($domain, '.') === false ) { + $domain = ''; + } + if (strpos($domain, ':') !== false) { + $domain = substr($domain, 0, strrpos($domain, ':')); + } - if( strpos($domain, ':') !== false ){ - $domain = substr($domain, 0, strrpos($domain, ':')); - } + // Default expiration: 30 days + $expiry = ($expires === false) ? time()+2592000 // 30 days + : (($expires === true) ? 0 // session cookie + : $expires); - // expire if value is empty - // cookies are set with either www removed from the domain or with an empty string - if( empty($value) ){ - $expires = time()-2592000; - setcookie($name, $value, $expires, $cookiePath, $domain, $secure, true); - setcookie($name, $value, $expires, $cookiePath, $domain, false, true); - return; - } + $options = [ 'expires' => $expiry, + 'path' => $cookiePath, + 'domain' => $domain, + 'secure' => $secure, + 'httponly' => true, + 'samesite' => 'Strict', // Or 'Lax' + ]; + // If we want to delete the cookie, set expiry to the past + if (empty($value)) { + $options['expires'] = time()-3600; + } - // get expiration and set - if( $expires === false ){ - $expires = time()+2592000; //30 days - }elseif( $expires === true ){ - $expires = 0; //expire at end of session - } - - setcookie($name, $value, $expires, $cookiePath, $domain, $secure, true); - } + setcookie($name, $value, $options); + }