From 5caac014dfc1b6eb1adb3b4c7da08b7693bc2a89 Mon Sep 17 00:00:00 2001 From: Josh North Date: Mon, 18 Oct 2021 10:38:41 -0400 Subject: [PATCH] fix siteid cookie to secure --- .tmp/index.php | 2 +- assets/index.php | 2 +- changelang.php | 4 ++-- changesite.php | 4 ++-- classes/index.php | 2 +- classes/misc/csrf.php | 2 +- classes/misc/index.php | 2 +- css/index.php | 2 +- fonts/index.php | 2 +- inc/header.inc.php | 5 +++-- inc/index.php | 2 +- js/index.php | 2 +- logout.php | 2 +- printvwf.php | 2 +- profile.php | 2 +- reports.php | 2 +- signin.php | 2 +- signin_display.php | 2 +- signout.php | 2 +- src/Config/index.php | 2 +- src/Database/index.php | 2 +- src/Language/index.php | 2 +- src/Misc/Csrf.php | 2 +- src/Misc/index.php | 2 +- src/index.php | 2 +- users.php | 2 +- webfonts/index.php | 2 +- 27 files changed, 31 insertions(+), 30 deletions(-) diff --git a/.tmp/index.php b/.tmp/index.php index fbf2463..5b19b90 100644 --- a/.tmp/index.php +++ b/.tmp/index.php @@ -21,6 +21,6 @@ ini_set('session.use_cookies', '1'); ini_set('session.use_only_cookies', '1'); ini_set('session.cookie_lifetime', '0'); - ini_set('session.cookie_secure', '0'); + ini_set('session.cookie_secure', '1'); ini_set('session.cookie_httponly', '1'); ini_set('session.cookie_samesite', 'Strict'); diff --git a/assets/index.php b/assets/index.php index fbf2463..5b19b90 100644 --- a/assets/index.php +++ b/assets/index.php @@ -21,6 +21,6 @@ ini_set('session.use_cookies', '1'); ini_set('session.use_only_cookies', '1'); ini_set('session.cookie_lifetime', '0'); - ini_set('session.cookie_secure', '0'); + ini_set('session.cookie_secure', '1'); ini_set('session.cookie_httponly', '1'); ini_set('session.cookie_samesite', 'Strict'); diff --git a/changelang.php b/changelang.php index b8bec12..cf15611 100755 --- a/changelang.php +++ b/changelang.php @@ -20,8 +20,8 @@ // only works with new php? setcookie ( 'app_disp_lang', $app_disp_lang, [ 'expires' => time() + 60*60*24*90, - 'secure' => false, - 'httponly' => false, + 'secure' => true, + 'httponly' => true, 'samesite' => 'Strict', ]); //setcookie ( 'app_disp_lang', $app_disp_lang, time() + 60*60*24*90); // SET SITE COOKIE diff --git a/changesite.php b/changesite.php index a5e44fd..0bfed16 100755 --- a/changesite.php +++ b/changesite.php @@ -19,8 +19,8 @@ $site = filter_input(INPUT_POST, 'site', FILTER_SANITIZE_STRING); // GET SANITARY SITE CHOICE setcookie ( 'app_site', $site, [ 'expires' => time() + 60*60*24*90, - 'secure' => false, - 'httponly' => false, + 'secure' => true, + 'httponly' => true, 'samesite' => 'Strict', ]); //setcookie ( 'app_site', $site, time() + 60*60*24*90); // SET SITE COOKIE diff --git a/classes/index.php b/classes/index.php index fbf2463..5b19b90 100755 --- a/classes/index.php +++ b/classes/index.php @@ -21,6 +21,6 @@ ini_set('session.use_cookies', '1'); ini_set('session.use_only_cookies', '1'); ini_set('session.cookie_lifetime', '0'); - ini_set('session.cookie_secure', '0'); + ini_set('session.cookie_secure', '1'); ini_set('session.cookie_httponly', '1'); ini_set('session.cookie_samesite', 'Strict'); diff --git a/classes/misc/csrf.php b/classes/misc/csrf.php index 1653827..cdd72a1 100644 --- a/classes/misc/csrf.php +++ b/classes/misc/csrf.php @@ -33,7 +33,7 @@ class csrf { setcookie ( self::makeCookieName($page), $token->cookietoken, [ 'expires' => $token->expiry, - 'secure' => false, + 'secure' => true, 'httponly' => true, 'samesite' => 'Strict', ]); diff --git a/classes/misc/index.php b/classes/misc/index.php index fbf2463..5b19b90 100755 --- a/classes/misc/index.php +++ b/classes/misc/index.php @@ -21,6 +21,6 @@ ini_set('session.use_cookies', '1'); ini_set('session.use_only_cookies', '1'); ini_set('session.cookie_lifetime', '0'); - ini_set('session.cookie_secure', '0'); + ini_set('session.cookie_secure', '1'); ini_set('session.cookie_httponly', '1'); ini_set('session.cookie_samesite', 'Strict'); diff --git a/css/index.php b/css/index.php index fbf2463..5b19b90 100644 --- a/css/index.php +++ b/css/index.php @@ -21,6 +21,6 @@ ini_set('session.use_cookies', '1'); ini_set('session.use_only_cookies', '1'); ini_set('session.cookie_lifetime', '0'); - ini_set('session.cookie_secure', '0'); + ini_set('session.cookie_secure', '1'); ini_set('session.cookie_httponly', '1'); ini_set('session.cookie_samesite', 'Strict'); diff --git a/fonts/index.php b/fonts/index.php index fbf2463..5b19b90 100644 --- a/fonts/index.php +++ b/fonts/index.php @@ -21,6 +21,6 @@ ini_set('session.use_cookies', '1'); ini_set('session.use_only_cookies', '1'); ini_set('session.cookie_lifetime', '0'); - ini_set('session.cookie_secure', '0'); + ini_set('session.cookie_secure', '1'); ini_set('session.cookie_httponly', '1'); ini_set('session.cookie_samesite', 'Strict'); diff --git a/inc/header.inc.php b/inc/header.inc.php index 7f83911..4ff8a11 100644 --- a/inc/header.inc.php +++ b/inc/header.inc.php @@ -65,7 +65,7 @@ $app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang', FILTER_SANITIZE_FULL_SPECIAL_CHARS); // SETUP LANGUAGE if(!isset($app_disp_lang)) { $app_disp_lang=$StaticFunctions->getDefaultLanguage(); } - $siteidcookie = filter_input(INPUT_COOKIE, 'app_site'); // SETUP SITE + $siteidcookie = filter_input(INPUT_COOKIE, 'app_site', FILTER_SANITIZE_FULL_SPECIAL_CHARS); // SETUP SITE foreach($SiteInfo->getSite("0", $uid, "0", "0") as $arr) { $lookup_array[$arr['sites_id']]=1; } if(isset($lookup_array[$siteidcookie])) { @@ -234,7 +234,8 @@