danwin1210/le-chat-php
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Harden all cookies

Browse Source
This commit is contained in:
Daniel Winzen
2020-05-07 20:50:20 +02:00
parent e9a1d61027
commit 035cfa6aa4
1 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
chat.php
View File

@ -2266,6 +2266,14 @@ function is_definitely_ssl() {
return false; return false;
} }
function set_secure_cookie($name, $value){
if (version_compare(PHP_VERSION, '7.3.0') >= 0) {
setcookie($name, $value, ['expires' => 0, 'path' => '/', 'domain' => '', 'secure' => is_definitely_ssl(), 'httponly'=>true, 'samesite' => 'Strict']);
}else{
setcookie($name, $value, 0, '/', '', is_definitely_ssl(), true);
}
}
function write_new_session($password){ function write_new_session($password){
global $I, $U, $db; global $I, $U, $db;
$stmt=$db->prepare('SELECT * FROM ' . PREFIX . 'sessions WHERE nickname=?;'); $stmt=$db->prepare('SELECT * FROM ' . PREFIX . 'sessions WHERE nickname=?;');
@ -2275,11 +2283,7 @@ function write_new_session($password){
if(password_verify($password, $temp['passhash'])){ if(password_verify($password, $temp['passhash'])){
$U=$temp; $U=$temp;
check_kicked(); check_kicked();
if (version_compare(PHP_VERSION, '7.3.0') >= 0) { set_secure_cookie(COOKIENAME, $U['session']);
setcookie(COOKIENAME, $U['session'], ['expires' => 0, 'path' => '/', 'domain' => '', 'secure' => is_definitely_ssl(), 'httponly'=>true, 'samesite' => 'Strict']);
}else{
setcookie(COOKIENAME, $U['session'], 0, '/', '', is_definitely_ssl(), true);
}
}else{ }else{
send_error("$I[userloggedin]<br>$I[wrongpass]"); send_error("$I[userloggedin]<br>$I[wrongpass]");
} }
@ -2306,11 +2310,7 @@ function write_new_session($password){
} }
$stmt=$db->prepare('INSERT INTO ' . PREFIX . 'sessions (session, nickname, status, refresh, style, lastpost, passhash, useragent, bgcolour, entry, timestamps, embed, incognito, ip, nocache, tz, eninbox, sortupdown, hidechatters, nocache_old) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);'); $stmt=$db->prepare('INSERT INTO ' . PREFIX . 'sessions (session, nickname, status, refresh, style, lastpost, passhash, useragent, bgcolour, entry, timestamps, embed, incognito, ip, nocache, tz, eninbox, sortupdown, hidechatters, nocache_old) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);');
$stmt->execute([$U['session'], $U['nickname'], $U['status'], $U['refresh'], $U['style'], $U['lastpost'], $U['passhash'], $useragent, $U['bgcolour'], $U['entry'], $U['timestamps'], $U['embed'], $U['incognito'], $ip, $U['nocache'], $U['tz'], $U['eninbox'], $U['sortupdown'], $U['hidechatters'], $U['nocache_old']]); $stmt->execute([$U['session'], $U['nickname'], $U['status'], $U['refresh'], $U['style'], $U['lastpost'], $U['passhash'], $useragent, $U['bgcolour'], $U['entry'], $U['timestamps'], $U['embed'], $U['incognito'], $ip, $U['nocache'], $U['tz'], $U['eninbox'], $U['sortupdown'], $U['hidechatters'], $U['nocache_old']]);
if (version_compare(PHP_VERSION, '7.3.0') >= 0) { set_secure_cookie(COOKIENAME, $U['session']);
setcookie(COOKIENAME, $U['session'], ['expires' => 0, 'path' => '/', 'domain' => '', 'secure' => is_definitely_ssl(), 'httponly'=>true, 'samesite' => 'Strict']);
}else{
setcookie(COOKIENAME, $U['session'], 0, '/', '', is_definitely_ssl(), true);
}
if($U['status']>=3 && !$U['incognito']){ if($U['status']>=3 && !$U['incognito']){
add_system_message(sprintf(get_setting('msgenter'), style_this(htmlspecialchars($U['nickname']), $U['style']))); add_system_message(sprintf(get_setting('msgenter'), style_this(htmlspecialchars($U['nickname']), $U['style'])));
} }
@ -4186,13 +4186,13 @@ function load_lang(){
if(isset($_REQUEST['lang']) && isset($L[$_REQUEST['lang']])){ if(isset($_REQUEST['lang']) && isset($L[$_REQUEST['lang']])){
$language=$_REQUEST['lang']; $language=$_REQUEST['lang'];
if(!isset($_COOKIE['language']) || $_COOKIE['language']!==$language){ if(!isset($_COOKIE['language']) || $_COOKIE['language']!==$language){
setcookie('language', $language); set_secure_cookie('language', $language);
} }
}elseif(isset($_COOKIE['language']) && isset($L[$_COOKIE['language']])){ }elseif(isset($_COOKIE['language']) && isset($L[$_COOKIE['language']])){
$language=$_COOKIE['language']; $language=$_COOKIE['language'];
}else{ }else{
$language=LANG; $language=LANG;
setcookie('language', $language); set_secure_cookie('language', $language);
} }
include('lang_en.php'); //always include English include('lang_en.php'); //always include English
if($language!=='en'){ if($language!=='en'){