Pi-Hole/web
1
0
Fork 0
mirror of https://github.com/pi-hole/web.git synced 2026-04-27 04:04:00 +01:00
Code Issues Packages Projects Releases Wiki Activity

Prevent javascript XSS attacks aimed to steal the session ID

Browse Source 
Signed-off-by: DL6ER <dl6er@dl6er.de>
This commit is contained in:
DL6ER
2021-02-03 14:06:32 +01:00
parent 22d7df9116
commit d4e46df28e
2 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
scripts/pi-hole/php/auth.php
View File

@@ -97,6 +97,11 @@ function check_csrf($token) {
session_id() == "";
if(!$session_started) {
// Start a new PHP session (or continue an existing one)
// Prevents javascript XSS attacks aimed to steal the session ID
ini_set('session.cookie_httponly', 1);
// Prevent Session ID from being passed through URLs
ini_set('session.use_only_cookies', 1);
session_start();
}