stable

Clone or download

Read-only

Implement cookie prefixe protection for PHP session cookie

This contribution also respect the same naming convention used by the authentication cookie. Using _ and - in a session name is against the PHP documentation [1] but it seems this warning has only been added to avoid issues when the session name is used in URLs and cookies but for both these chars are safe to use. A quick review of the PHP source code and functionnal tests in PHP 5.6 and 7.2 has not shown specific restrictions. A bug request to change this warning in the PHP documentation has been opened [2] but we should not encounter more issues than with the authentication cookie. This is part of request #10979: Implement Same-Site cookie and cookie prefixes protections [1] https://secure.php.net/manual/en/function.session-name.php [2] https://bugs.php.net/bug.php?id=75883 Change-Id: Ie8b3e553667c1f63c73f77a87b7f19289da93336

Modified Files

Name
M src/common/include/CookieManager.class.php +4 −4 Go to diff View file
M src/common/session/PHP_Session.class.php +3 −0 Go to diff View file