From 73dbbcd72c4ae3d4e698b25a6000e451c83785ad Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 3 Jul 2017 19:17:13 +0200
Subject: [PATCH] csrf/cookie, fix Secure Attribute and align session cookie in
 authgui.inc

---
 src/etc/inc/authgui.inc | 3 ++-
 src/www/csrf.inc        | 7 +++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc
index 826bd5d1d..39c86415e 100644
--- a/src/etc/inc/authgui.inc
+++ b/src/etc/inc/authgui.inc
@@ -170,7 +170,8 @@ function session_auth(&$Login_Error)
     if (session_status() == PHP_SESSION_NONE) {
         if (session_start()) {
             $sess_name = session_name();
-            setcookie($sess_name, session_id(), null, '/', null, null, ($config['system']['webgui']['protocol'] == "https"));
+            $secure = $config['system']['webgui']['protocol'] == "https";
+            setcookie(session_name(), session_id(), null, '/', null, $secure, true);
         }
     }
 
diff --git a/src/www/csrf.inc b/src/www/csrf.inc
index cb9cf2db6..cb119e894 100644
--- a/src/www/csrf.inc
+++ b/src/www/csrf.inc
@@ -43,11 +43,14 @@ class LegacyCSRF
 
     private function Session()
     {
+        global $config;
         if ($this->session == null) {
             $this->session = new Phalcon\Session\Adapter\Files();
             $this->session->start();
-            $secure = $config['system']['webgui']['protocol'] == 'https';
-            setcookie(session_name(), session_id(), null, '/', null, $secure, true);
+            if (!isset($_COOKIE[session_name()])) {
+                $secure = $config['system']['webgui']['protocol'] == 'https';
+                setcookie(session_name(), session_id(), null, '/', null, $secure, true);
+            }
             $this->di->setShared('session', $this->session);
         }
     }