From d4e46df28e33968687037631cd29289e351ab89c Mon Sep 17 00:00:00 2001 From: DL6ER Date: Wed, 3 Feb 2021 14:06:32 +0100 Subject: [PATCH] Prevent javascript XSS attacks aimed to steal the session ID Signed-off-by: DL6ER --- scripts/pi-hole/php/auth.php | 5 +++++ scripts/pi-hole/php/password.php | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/scripts/pi-hole/php/auth.php b/scripts/pi-hole/php/auth.php index 2046261a..21a25c46 100644 --- a/scripts/pi-hole/php/auth.php +++ b/scripts/pi-hole/php/auth.php @@ -97,6 +97,11 @@ function check_csrf($token) { session_id() == ""; if(!$session_started) { + // Start a new PHP session (or continue an existing one) + // Prevents javascript XSS attacks aimed to steal the session ID + ini_set('session.cookie_httponly', 1); + // Prevent Session ID from being passed through URLs + ini_set('session.use_only_cookies', 1); session_start(); } diff --git a/scripts/pi-hole/php/password.php b/scripts/pi-hole/php/password.php index b3da977a..5dd03dd8 100644 --- a/scripts/pi-hole/php/password.php +++ b/scripts/pi-hole/php/password.php @@ -9,6 +9,10 @@ require_once('func.php'); // Start a new PHP session (or continue an existing one) + // Prevents javascript XSS attacks aimed to steal the session ID + ini_set('session.cookie_httponly', 1); + // Prevent Session ID from being passed through URLs + ini_set('session.use_only_cookies', 1); session_start(); // Read setupVars.conf file @@ -39,7 +43,7 @@ // Test if password is set if(strlen($pwhash) > 0) { - // Check for and authorize from persistent cookie + // Check for and authorize from persistent cookie if (isset($_COOKIE["persistentlogin"])) { if (hash_equals($pwhash, $_COOKIE["persistentlogin"]))