WIP: site request over http works fine with login. With https there are some...

WIP: site request over http works fine with login. With https there are some problems to get to the page.

WIP: site request over http works fine with login. With https there are some...
a4866017 · enured · 48f7c957 · a4866017
Commit a4866017 authored 3 years ago by enured
--- a/extension/Classes/Core/Store/Session.php
+++ b/extension/Classes/Core/Store/Session.php
@@ -52,14 +52,17 @@ class Session
            $path = $this->getSitePath();

            $secure = true; // if you only want to receive the cookie over HTTPS
-            $httponly = false; // prevent JavaScript access to session cookie
+            $httponly = true; // prevent JavaScript access to session cookie
            $samesite = 'lax';

            // Needed expire date for header() method
-            $date = date("D, d M Y H:i:s",strtotime('1 January 2024')) . 'GMT';
+            $actualYear = date("Y");
+            $currentTime = date("H:i:s");
+            $expireDay = intval(date("d")) + 3;
+            $date = date("D, d-M-Y H:i:s",strtotime($expireDay.' January '.$actualYear.' '.$currentTime)) . ' GMT';

            if(PHP_VERSION_ID < 70300) {
-                session_set_cookie_params($lifetime, $path.'; samesite='.$samesite, $_SERVER['HTTP_HOST'], $secure, $httponly);
+                session_set_cookie_params($lifetime, $path.';SameSite='.$samesite, $_SERVER['HTTP_HOST'], $secure, $httponly);
            } else {
                session_set_cookie_params([
                    'lifetime' => $lifetime,
@@ -82,21 +85,20 @@ class Session
            // Currently, setcookie() is only called to really extend the lifetime. All other parameter needs to be given again.
            // For PHP Version < 7.3 cookie with samesite can only be set over the header() method.
            if(PHP_VERSION_ID < 70300) {
-                header("Set-Cookie: ".SESSION_NAME."=".session_id()."; expires=".$date."; path=".$path."; domain=".$currentCookieParams['domain']."; HttpOnly; SameSite=Lax");
+                header("Set-Cookie: ".SESSION_NAME."=".session_id()."; path=".$path."; expires=".$date."; Max-Age=".$lifetime."; HttpOnly; Secure; SameSite=Lax");
            } else {
                setcookie(SESSION_NAME, session_id(), [
                    'expires' => time() + $lifetime,
-                    'path' => $path,
-                    'domain' => $currentCookieParams['domain'],
                    'secure' => $secure,
+                    'path' => $path,
                    'httponly' => $httponly,
-                    'samesite' => 'Lax',
+                    'samesite' => 'Lax'
                ]);

            }

            // Old way to set cookie without samesite - samesite is needed later
-            // setcookie(SESSION_NAME, session_id(), time() + $lifetime)
+            // setcookie(SESSION_NAME, session_id(), time() + $lifetime);

            self::$sessionId = session_id();
        }