Pi-Hole/web
1
0
Fork 0
mirror of https://github.com/pi-hole/web.git synced 2026-04-23 10:19:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Prevent javascript XSS attacks aimed to steal the session ID

Browse Source 
Signed-off-by: DL6ER <dl6er@dl6er.de>
This commit is contained in:
DL6ER
2021-02-03 14:06:32 +01:00
parent 22d7df9116
commit d4e46df28e
2 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
scripts/pi-hole/php/auth.php
View File

@@ -97,6 +97,11 @@ function check_csrf($token) {
session_id() == "";
if(!$session_started) {
// Start a new PHP session (or continue an existing one)
// Prevents javascript XSS attacks aimed to steal the session ID
ini_set('session.cookie_httponly', 1);
// Prevent Session ID from being passed through URLs
ini_set('session.use_only_cookies', 1);
session_start();
}

6
scripts/pi-hole/php/password.php
View File

@@ -9,6 +9,10 @@
require_once('func.php');
// Start a new PHP session (or continue an existing one)
// Prevents javascript XSS attacks aimed to steal the session ID
ini_set('session.cookie_httponly', 1);
// Prevent Session ID from being passed through URLs
ini_set('session.use_only_cookies', 1);
session_start();
// Read setupVars.conf file
@@ -39,7 +43,7 @@
// Test if password is set
if(strlen($pwhash) > 0)
{
// Check for and authorize from persistent cookie
// Check for and authorize from persistent cookie
if (isset($_COOKIE["persistentlogin"]))
{
if (hash_equals($pwhash, $_COOKIE["persistentlogin"]))