Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-01-06 09:02:59 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix change position of session_set_cookie_param / session_name

Browse Source
This commit is contained in:
Laurent Destailleur
2020-04-06 11:16:35 +02:00
parent 4f8b3e0646
commit 23c48b83e4
1 changed files with 3 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
htdocs/main.inc.php
View File

@@ -209,8 +209,8 @@ $prefix = dol_getprefix('');
$sessionname = 'DOLSESSID_'.$prefix;
$sessiontimeout = 'DOLSESSTIMEOUT_'.$prefix;
if (!empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime', $_COOKIE[$sessiontimeout]);
session_name($sessionname);
session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie (same as setting session.cookie_httponly into php.ini). Must be called before the session_start.
session_name($sessionname);
// This create lock, released when session_write_close() or end of page.
// We need this lock as long as we read/write $_SESSION ['vars']. We can remove lock when finished.
if (!defined('NOSESSION'))
@@ -256,7 +256,6 @@ if (isset($_SERVER["HTTP_USER_AGENT"]))
if ($conf->browser->layout == 'phone') $conf->dol_no_mouse_hover = 1;
}
// Force HTTPS if required ($conf->file->main_force_https is 0/1 or 'https dolibarr root url')
// $_SERVER["HTTPS"] is 'on' when link is https, otherwise $_SERVER["HTTPS"] is empty or 'off'
if (!empty($conf->file->main_force_https) && (empty($_SERVER["HTTPS"]) || $_SERVER["HTTPS"] != 'on'))
@@ -343,7 +342,6 @@ if ((!empty($conf->global->MAIN_VERSION_LAST_UPGRADE) && ($conf->global->MAIN_VE
}
}
//var_dump(GETPOST('token').' '.$_SESSION['token'].' - '.newToken().' '.$_SERVER['SCRIPT_FILENAME']);
// Creation of a token against CSRF vulnerabilities
if (!defined('NOTOKENRENEWAL'))
@@ -619,8 +617,8 @@ if (!defined('NOLOGIN'))
{
dol_syslog('User not found, connexion refused');
session_destroy();
session_name($sessionname);
session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie
session_name($sessionname);
session_start();
if ($resultFetchUser == 0)
@@ -673,8 +671,8 @@ if (!defined('NOLOGIN'))
// Account has been removed after login
dol_syslog("Can't load user even if session logged. _SESSION['dol_login']=".$login, LOG_WARNING);
session_destroy();
session_name($sessionname);
session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie
session_name($sessionname);
session_start();
if ($resultFetchUser == 0)