mirror/webgui
1
0
Fork 0
mirror of https://github.com/unraid/webgui.git synced 2026-03-07 18:39:27 -06:00
Code Issues Packages Projects Releases Wiki Activity

Only create session when user successfully logs in

Browse Source 
Also, enable session.use_strict_mode to prevent session fixation attacks
This commit is contained in:
Larry Meaney
2019-10-18 22:53:06 -07:00
parent c1ddcfab10
commit 0e3f8bdd0f
3 changed files with 25 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
auth_request.php
View File

@@ -1,18 +1,18 @@
<?php
session_name("unraid_".md5(strstr($_SERVER['HTTP_HOST'].':', ':', true)));
session_set_cookie_params(0, '/; samesite=strict', null, array_key_exists('HTTPS', $_SERVER), true);
session_start();
// authorized
if (isset($_SESSION["unraid_login"])) {
if (time() - $_SESSION['unraid_login'] > 300) {
$_SESSION['unraid_login'] = time();
// only start the session if a session cookie exists
if (isset($_COOKIE[session_name()])) {
session_start();
// authorized?
if (isset($_SESSION["unraid_login"])) {
if (time() - $_SESSION['unraid_login'] > 300) {
$_SESSION['unraid_login'] = time();
}
session_write_close();
http_response_code(200);
exit;
}
session_write_close();
http_response_code(200);
exit;
}
session_write_close();
$arrWhitelist = [
'/webGui/styles/clear-sans-bold-italic.eot',