(ui) set httponly cookie, closes https://github.com/opnsense/core/issues/897

2026-03-17 01:54:49 +00:00 · 2016-04-18 18:38:18 +02:00 · 2016-04-18 18:38:18 +02:00 · da71e1a020
commit da71e1a020
parent b78720b894
3 changed files with 24 additions and 1 deletions
--- a/src/etc/inc/authgui.inc
+++ b/src/etc/inc/authgui.inc
@ -168,7 +168,10 @@ function session_auth(&$Login_Error)
    );

    if (session_status() == PHP_SESSION_NONE) {
-        session_start();
+        if (session_start()) {
+            $sess_name = session_name();
+            setcookie($sess_name, session_id(), null, '/', null, null, ($config['system']['webgui']['protocol'] == "https"));
+        }
    }

    // Detect protocol change
--- a/src/opnsense/mvc/app/config/services.php
+++ b/src/opnsense/mvc/app/config/services.php
@ -7,6 +7,7 @@ use Phalcon\Db\Adapter\Pdo\Mysql as DbAdapter;
 use Phalcon\Mvc\View\Engine\Volt as VoltEngine;
 use Phalcon\Mvc\Model\Metadata\Memory as MetaDataAdapter;
 use Phalcon\Session\Adapter\Files as SessionAdapter;
+use OPNsense\Core\Config;

 /**
 * The FactoryDefault Dependency Injector automatically register the right services providing a full stack framework
@ -75,6 +76,15 @@ $di->set('modelsMetadata', function () {
 $di->setShared('session', function () {
    $session = new SessionAdapter();
    $session->start();
+    // Set session response cookie, unfortunalty we need to read the config here to determine if secure option is
+    // a valid choice.
+    $cnf = Config::getInstance();
+    if ((string)$cnf->object()->system->webgui->protocol == 'https') {
+        $secure = true;
+    } else {
+        $secure = false;
+    }
+    setcookie(session_name(), session_id(), null, '/', null, $secure, true);

    return $session;
 });
--- a/src/opnsense/mvc/app/config/services_api.php
+++ b/src/opnsense/mvc/app/config/services_api.php
@ -34,6 +34,7 @@ use Phalcon\Mvc\Url as UrlResolver;
 use Phalcon\Mvc\View;
 use Phalcon\Mvc\Model\Metadata\Memory as MetaDataAdapter;
 use Phalcon\Session\Adapter\Files as SessionAdapter;
+use OPNsense\Core\Config;

 /**
 * The FactoryDefault Dependency Injector automatically register the right services providing a full stack framework
@ -62,6 +63,15 @@ $di->set('url', function () use ($config) {
 $di->setShared('session', function () {
    $session = new SessionAdapter();
    $session->start();
+    // Set session response cookie, unfortunalty we need to read the config here to determine if secure option is
+    // a valid choice.
+    $cnf = Config::getInstance();
+    if ((string)$cnf->object()->system->webgui->protocol == 'https') {
+        $secure = true;
+    } else {
+        $secure = false;
+    }
+    setcookie(session_name(), session_id(), null, '/', null, $secure, true);

    return $session;
 });