Commit 32da82f8 authored by Ryan Blair's avatar Ryan Blair
Browse files

tighten up session cookie security by default

parent 38548f21
......@@ -24,7 +24,18 @@ This file was written by Gary Hemming <gary.hemming@ego-gw.it>.
//////////////////////
// Handle sessions //
////////////////////
session_start();
// session cookie setup, with some security options
// see https://www.php.net/manual/en/session.security.ini.php
session_start( [
//'cookie_lifetime' => 86400,
'use_cookies' => 1,
'use_only_cookies' => 1, // ONLY use cookies, not GET/POST/URL params
'use_strict_mode' => 1, // prevents misuse of uninit'd session ID
'cookie_httponly' => 1, // cookies only available in connection, not to JS
'cookie_secure' => 1, // only access via HTTPS. consider adding HSTS too
'cookie_samesite' => 'Strict', // prevent CSRF
]);
ini_set('display_errors',1);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment