From 3871179a575edefca3f422d2f96b45a8b0acf43e Mon Sep 17 00:00:00 2001
From: Zoey <zoey@z0ey.de>
Date: Thu, 16 Apr 2026 11:12:34 +0200
Subject: [PATCH] aio-interface: set cookie prefix to __Host-Http- (#7912)

Signed-off-by: Zoey <zoey@z0ey.de>
Signed-off-by: Simon L. <szaimen@e.mail.de>
Co-authored-by: Simon L. <szaimen@e.mail.de>
---
 php/public/index.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/php/public/index.php b/php/public/index.php
index b82f1474..2bc8091b 100644
--- a/php/public/index.php
+++ b/php/public/index.php
@@ -38,6 +38,7 @@ $container->set(Guard::class, function () use ($responseFactory) {
 
 // Register Middleware To Be Executed On All Routes
 session_start([
+    "name" => "__Host-Http-PHPSESSID", // Set cookie prefix to prevent other pages from overwriting this cookie. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#cookie_prefixes
     "save_path" => $dataConst->GetSessionDirectory(), // Where to save the session files
     "cookie_lifetime" => 0, // Delete the session cookie whenever the browser is closed. See https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime
     "gc_maxlifetime" => 86400, // Delete sessions after 24 hours. See https://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime