mirror/webgui
1
0
Fork 0
mirror of https://github.com/unraid/webgui.git synced 2026-04-23 10:38:50 -05:00
Code Issues Packages Projects Releases Wiki Activity

Only create session when user successfully logs in

Browse Source 
Also, enable session.use_strict_mode to prevent session fixation attacks
This commit is contained in:
Larry Meaney
2019-10-18 22:53:06 -07:00
parent c1ddcfab10
commit 0e3f8bdd0f
3 changed files with 25 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files
plugins/dynamix/include/local_prepend.php
+3
View File
@@ -22,6 +22,9 @@ putenv('PATH=.:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin');
chdir('/usr/local/emhttp');
setlocale(LC_ALL,'en_US.UTF-8');
date_default_timezone_set(substr(readlink('/etc/localtime-copied-from'),20));
ini_set("session.use_strict_mode", "1");
session_name("unraid_".md5(strstr($_SERVER['HTTP_HOST'].':', ':', true)));
session_set_cookie_params(0, '/; samesite=strict', null, array_key_exists('HTTPS', $_SERVER), true);
if ($_SERVER['SCRIPT_NAME'] != '/login.php' && $_SERVER['SCRIPT_NAME'] != '/auth_request.php' && isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'POST') {
if (!isset($var)) $var = parse_ini_file('state/var.ini');
if (!isset($var['csrf_token'])) csrf_terminate("uninitialized");