By default there is a Pragma: no-cache header set due to the default
value `no-cache` of session.cache-limiter, which will cause Chrome and
iOS to not cache even with a different Cache-Control header set on the
response.
Signed-off-by: Julius Härtl <jus@bitgrid.net>
Otherwise restoring the requesttoken would reopen and read the existing
session data and restore it instead of clearing
Signed-off-by: Julius Härtl <jus@bitgrid.net>
Sessions are a locking operation until we write close them, so close
them early and reopen later in case we want to write to them
Signed-off-by: Julius Härtl <jus@bitgrid.net>
To continue this formatting madness, here's a tiny patch that adds
unified formatting for control structures like if and loops as well as
classes, their methods and anonymous functions. This basically forces
the constructs to start on the same line. This is not exactly what PSR2
wants, but I think we can have a few exceptions with "our" style. The
starting of braces on the same line is pracrically standard for our
code.
This also removes and empty lines from method/function bodies at the
beginning and end.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
This makes the last remaining two cookies lax. The session cookie
itself. And the session password as well (on php 7.3 that is). Samesite
cookies are the best cookies!
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
The php documentation states that an empty string should be used for a cookie when it has no real value.
null leads to the following error: expects parameter 2 to be string, null given
Signed-off-by: Martin Böh <mart.b@outlook.de>
Sometimes when we force a session regeneration we want to update the
current token for this session.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Treat PHP Errors on User session regenerate
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
remove unnecessary lines…
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
change PHP errors to ErrorException in the session (PHP >=7)
Otherwise it might be that authentication apps are being disabled on
during operation while in fact the session handler has hiccup.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
This is a hacky way to allow the use case of #1303.
What happens is
1. User tries to login
2. PreLoginHook kicks in and figures out that the user need to change
their LDAP password or whatever => redirects user
3. While loading the redirect some logic of ours kicks in and logouts
the user (thus clearing the session).
4. We render the new page but now the session and the page disagree
about the CSRF token
This is kind of hacky but I don't think it introduces new attack
vectors.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
