From 23c48b83e4fb55ce3d054ccd3501735cf3fa3a67 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 6 Apr 2020 11:16:35 +0200 Subject: [PATCH] Fix change position of session_set_cookie_param / session_name --- htdocs/main.inc.php | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index ece5ac096c8..f17579e9d78 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -209,8 +209,8 @@ $prefix = dol_getprefix(''); $sessionname = 'DOLSESSID_'.$prefix; $sessiontimeout = 'DOLSESSTIMEOUT_'.$prefix; if (!empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime', $_COOKIE[$sessiontimeout]); -session_name($sessionname); session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie (same as setting session.cookie_httponly into php.ini). Must be called before the session_start. +session_name($sessionname); // This create lock, released when session_write_close() or end of page. // We need this lock as long as we read/write $_SESSION ['vars']. We can remove lock when finished. if (!defined('NOSESSION')) @@ -256,7 +256,6 @@ if (isset($_SERVER["HTTP_USER_AGENT"])) if ($conf->browser->layout == 'phone') $conf->dol_no_mouse_hover = 1; } - // Force HTTPS if required ($conf->file->main_force_https is 0/1 or 'https dolibarr root url') // $_SERVER["HTTPS"] is 'on' when link is https, otherwise $_SERVER["HTTPS"] is empty or 'off' if (!empty($conf->file->main_force_https) && (empty($_SERVER["HTTPS"]) || $_SERVER["HTTPS"] != 'on')) @@ -343,7 +342,6 @@ if ((!empty($conf->global->MAIN_VERSION_LAST_UPGRADE) && ($conf->global->MAIN_VE } } -//var_dump(GETPOST('token').' '.$_SESSION['token'].' - '.newToken().' '.$_SERVER['SCRIPT_FILENAME']); // Creation of a token against CSRF vulnerabilities if (!defined('NOTOKENRENEWAL')) @@ -619,8 +617,8 @@ if (!defined('NOLOGIN')) { dol_syslog('User not found, connexion refused'); session_destroy(); - session_name($sessionname); session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie + session_name($sessionname); session_start(); if ($resultFetchUser == 0) @@ -673,8 +671,8 @@ if (!defined('NOLOGIN')) // Account has been removed after login dol_syslog("Can't load user even if session logged. _SESSION['dol_login']=".$login, LOG_WARNING); session_destroy(); - session_name($sessionname); session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie + session_name($sessionname); session_start(); if ($resultFetchUser == 0)