kevinowino869/mitrobill
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Critical Updates, Fight Against Insecurity

Browse Source
This commit is contained in:
Focuslinkstech 2024-10-09 15:47:41 +01:00 committed by Ibnu Maksum
parent 71d653f3d1
commit c08c069479
No known key found for this signature in database
GPG Key ID: 7FC82848810579E5
1 changed files with 32 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
system/autoload/Admin.php
View File

@ -53,28 +53,51 @@ class Admin
{ {
global $db_pass, $config; global $db_pass, $config;
$enable_session_timeout = $config['enable_session_timeout']; $enable_session_timeout = $config['enable_session_timeout'];
$session_timeout_duration = intval($config['session_timeout_duration']) * 60; // Convert minutes to seconds
if (isset($aid)) { if (isset($aid)) {
$time = time(); $time = time();
$token = $aid . '.' . $time . '.' . sha1($aid . '.' . $time . '.' . $db_pass); $token = $aid . '.' . $time . '.' . sha1("$aid.$time.$db_pass");
setcookie('aid', $token, time() + 86400 * 7);
// Detect the current protocol
$isSecure = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';
// Set cookie with security flags
setcookie('aid', $token, [
'expires' => time() + 86400 * 7, // 7 days
'path' => '/',
'domain' => APP_URL,
'secure' => $isSecure,
'httponly' => true,
'samesite' => 'Lax', // or Strict
]);
$_SESSION['aid'] = $aid; $_SESSION['aid'] = $aid;
if ($enable_session_timeout) { if ($enable_session_timeout) {
$timeout = 60;
if ($config['session_timeout_duration']) {
$timeout = intval($config['session_timeout_duration']);
}
$session_timeout_duration = $timeout * 60; // Convert minutes to seconds
$_SESSION['aid_expiration'] = $time + $session_timeout_duration; $_SESSION['aid_expiration'] = $time + $session_timeout_duration;
} }
return $token; return $token;
} }
return ''; return '';
} }
public static function removeCookie() public static function removeCookie()
{ {
if (isset($_COOKIE['aid'])) { if (isset($_COOKIE['aid'])) {
setcookie('aid', '', time() - 86400); $isSecure = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';
setcookie('aid', '', [
'expires' => time() - 3600,
'path' => '/',
'domain' => APP_URL,
'secure' => $isSecure,
'httponly' => true,
'samesite' => 'Lax',
]);
unset($_COOKIE['aid']);
} }
} }