From c869f29f0d58ddc49d0921bb5eba137ed9175f0b Mon Sep 17 00:00:00 2001
From: MayCactus <138797510+maycactus-FOSS@users.noreply.github.com>
Date: Wed, 18 Oct 2023 22:27:00 -0400
Subject: [PATCH] =?UTF-8?q?=EC=84=B8=EC=85=98=20=EC=BF=A0=ED=82=A4=20?=
=?UTF-8?q?=EB=B3=B4=EC=95=88=20=EA=B0=95=ED=99=94=20(#282)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* Enhance Session Cookie Security
* Fix user registration link path
---
common.php | 9 +++++++--
lib/common.lib.php | 4 ++++
mobile/skin/member/basic/login.skin.php | 2 +-
3 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/common.php b/common.php
index c541f5f2b..3ba99a536 100644
--- a/common.php
+++ b/common.php
@@ -226,7 +226,12 @@ ini_set("session.gc_maxlifetime", 10800); // session data의 garbage collection
ini_set("session.gc_probability", 1); // session.gc_probability는 session.gc_divisor와 연계하여 gc(쓰레기 수거) 루틴의 시작 확률을 관리합니다. 기본값은 1입니다. 자세한 내용은 session.gc_divisor를 참고하십시오.
ini_set("session.gc_divisor", 100); // session.gc_divisor는 session.gc_probability와 결합하여 각 세션 초기화 시에 gc(쓰레기 수거) 프로세스를 시작할 확률을 정의합니다. 확률은 gc_probability/gc_divisor를 사용하여 계산합니다. 즉, 1/100은 각 요청시에 GC 프로세스를 시작할 확률이 1%입니다. session.gc_divisor의 기본값은 100입니다.
-session_set_cookie_params(0, '/', null, false, true);
+if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
+ session_set_cookie_params(0, '/', null, true, true);
+} else {
+ session_set_cookie_params(0, '/', null, false, true);
+}
+
ini_set("session.cookie_domain", G5_COOKIE_DOMAIN);
function chrome_domain_session_name(){
@@ -381,7 +386,7 @@ if( $config['cf_cert_use'] || (defined('G5_YOUNGCART_VER') && G5_YOUNGCART_VER)
$cookie_session_name = method_exists('XenoPostToForm', 'g5_session_name') ? XenoPostToForm::g5_session_name() : 'PHPSESSID';
foreach ($headers as $header) {
if (!preg_match('~^Set-Cookie: '.$cookie_session_name.'=~', $header)) continue;
- $header = preg_replace('~; secure(; HttpOnly)?$~', '', $header) . '; secure; SameSite=None';
+ $header = preg_replace('~(; secure; HttpOnly)?$~', '; secure; HttpOnly; SameSite=None', $header);
header($header, false);
$g5['session_cookie_samesite'] = 'none';
break;
diff --git a/lib/common.lib.php b/lib/common.lib.php
index f05c8e30b..d55eda13e 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -155,6 +155,10 @@ function set_cookie($cookie_name, $value, $expire, $path='/', $domain=G5_COOKIE_
global $g5;
$c = run_replace('set_cookie_params', array('path'=>$path, 'domain'=>$domain, 'secure'=>$secure, 'httponly'=>$httponly), $cookie_name);
+
+ if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
+ $c['secure'] = true;
+ }
setcookie(md5($cookie_name), base64_encode($value), G5_SERVER_TIME + $expire, $c['path'], $c['domain'], $c['secure'], $c['httponly']);
}
diff --git a/mobile/skin/member/basic/login.skin.php b/mobile/skin/member/basic/login.skin.php
index 67aca531a..14631fd8c 100644
--- a/mobile/skin/member/basic/login.skin.php
+++ b/mobile/skin/member/basic/login.skin.php
@@ -33,7 +33,7 @@ add_stylesheet('',
회원로그인 안내