From 9f5c519652b36f64b31f4828d1af6801ffccb5ed Mon Sep 17 00:00:00 2001 From: Daniel Winzen <daniel@danwin1210.me> Date: Fri, 16 Oct 2020 11:11:11 +0200 Subject: [PATCH] Set secure cookie attributes --- common_config.php | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/common_config.php b/common_config.php index e95379e..60faba1 100644 --- a/common_config.php +++ b/common_config.php @@ -51,7 +51,7 @@ $L=[ if(isSet($_REQUEST['lang']) && isSet($L[$_REQUEST['lang']])){ $language=$_REQUEST['lang']; if(!isSet($_COOKIE['language']) || $_COOKIE['language']!==$language){ - setcookie('language', $language); + set_secure_cookie('language', $language); } }elseif(isSet($_COOKIE['language']) && isSet($L[$_COOKIE['language']])){ $language=$_COOKIE['language']; @@ -131,3 +131,24 @@ function send_headers(array $styles = []){ exit; // headers sent, no further processing needed } } + +function set_secure_cookie($name, $value){ + if (version_compare(PHP_VERSION, '7.3.0') >= 0) { + setcookie($name, $value, ['expires' => 0, 'path' => '/', 'domain' => '', 'secure' => is_definitely_ssl(), 'httponly' => true, 'samesite' => 'Strict']); + }else{ + setcookie($name, $value, 0, '/', '', is_definitely_ssl(), true); + } +} + +function is_definitely_ssl() { + if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') { + return true; + } + if (isset($_SERVER['SERVER_PORT']) && ('443' == $_SERVER['SERVER_PORT'])) { + return true; + } + if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && ('https' === $_SERVER['HTTP_X_FORWARDED_PROTO'])) { + return true; + } + return false; +}