Fix A+ rating when checking with Nextcloud Security Scan.

Due to commit 33d7019 session.cookie_secure=true is not set when accessing /status.php. This results in a degration from A+ to A rating due to missing __Host prefix for nc_sameSiteCookielax and nc_sameSiteCookiestrict cookies.
nextcloud · Mar 2, 2025 · e1e0b68 · e1e0b68
1 parent bf387e5
commit e1e0b68
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/lib/base.php b/lib/base.php
@@ -363,13 +363,6 @@ private static function printUpgradePage(\OC\SystemConfig $systemConfig): void {
 	public static function initSession(): void {
 		$request = Server::get(IRequest::class);
 
-		// Do not initialize sessions for 'status.php' requests
-		// Monitoring endpoints can quickly flood session handlers
-		// and 'status.php' doesn't require sessions anyway
-		if (str_ends_with($request->getScriptName(), '/status.php')) {
-			return;
-		}
-
 		// TODO: Temporary disabled again to solve issues with CalDAV/CardDAV clients like DAVx5 that use cookies
 		// TODO: See https://github.com/nextcloud/server/issues/37277#issuecomment-1476366147 and the other comments
 		// TODO: for further information.
@@ -388,6 +381,13 @@ public static function initSession(): void {
 		// prevents javascript from accessing php session cookies
 		ini_set('session.cookie_httponly', 'true');
 
+		// Do not initialize sessions for 'status.php' requests
+		// Monitoring endpoints can quickly flood session handlers
+		// and 'status.php' doesn't require sessions anyway
+		if (str_ends_with($request->getScriptName(), '/status.php')) {
+			return;
+		}
+
 		// set the cookie path to the Nextcloud directory
 		$cookie_path = OC::$WEBROOT ? : '/';
 		ini_set('session.cookie_path', $cookie_path);