Use generic session name and __Host- prefix for improved security

schokokeksorg · Mar 11, 2024 · bf71551 · bf71551
1 parent dc16c0d
commit bf71551
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/config.sample.php b/config.sample.php
@@ -33,7 +33,6 @@
 
 $config['mime_type'] = 'text/html';
 
-$config['session_name'] = 'CONFIG_SCHOKOKEKS_ORG';
 $config['theme'] = 'default';
 
 ini_set('display_errors', 'On');
diff --git a/session/start.php b/session/start.php
@@ -11,7 +11,10 @@
 
 require_once('inc/base.php');
 
-session_name(config('session_name'));
+// __Host- prefix guarantees secure cookie that cannot be
+// overwritten by other hosts:
+// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis
+session_name('__Host-CONFIG_INTERFACE');
 
 session_set_cookie_params(['path' => '/', 'secure' => true,
                                 'httponly' => true, 'samesite' => 'Lax', ]);