daenamnu/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/all-in-one.git synced 2026-05-30 15:30:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

aio-interface: improve session config and cookie store (#7689)

Browse Source 
Signed-off-by: Zoey <zoey@z0ey.de>
Co-authored-by: Pablo Zmdl <57864086+pabzm@users.noreply.github.com>
Co-authored-by: Simon L. <szaimen@e.mail.de>
This commit is contained in:
Zoey
2026-04-13 11:46:35 +02:00
committed by GitHub
parent 02c9f7971b
commit c104b179b7
1 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
php/public/index.php
View File

@@ -23,13 +23,6 @@ require __DIR__ . '/../vendor/autoload.php';
$container = \AIO\DependencyInjection::GetContainer();
$dataConst = $container->get(\AIO\Data\DataConst::class);
ini_set('session.save_path', $dataConst->GetSessionDirectory());
// Auto logout on browser close
ini_set('session.cookie_lifetime', '0');
# Keep session for 24h max
ini_set('session.gc_maxlifetime', '86400');
// Create app
AppFactory::setContainer($container);
@@ -44,7 +37,17 @@ $container->set(Guard::class, function () use ($responseFactory) {
});
// Register Middleware To Be Executed On All Routes
session_start();
session_start([
"save_path" => $dataConst->GetSessionDirectory(), // Where to save the session files
"cookie_lifetime" => 0, // Delete the session cookie whenever the browser is closed. See https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime
"gc_maxlifetime" => 86400, // Delete sessions after 24 hours. See https://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime
"gc_probability" => 1, // Probability that the session cleanup starts. See https://www.php.net/manual/en/session.configuration.php#ini.session.gc-probability
"gc_divisor" => 1, // gc_probability/gc_divisor = 1/1 = 100%, meaning that *all* outdated sessions get deleted when the cleanup job runs. See https://www.php.net/manual/en/session.configuration.php#ini.session.gc-divisor
"use_strict_mode" => true, // Only allow initialized session IDs. See https://www.php.net/manual/en/session.configuration.php#ini.session.use-strict-mode
"cookie_secure" => true, // Only send cookies over https (not http). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#secure
"cookie_httponly" => true, // Block the cookie from being read with js in the browser, will still be send for fetch request triggered by js. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#httponly
"cookie_samesite" => "Strict", // Only send the cookie with requests triggered by AIO itself. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value
]);
$app->add(Guard::class);
// Create Twig