[Web] Important: Do not allow API actions with r/o session key, THANKS TO Samuel Oosterholt

data/web/inc/footer.inc.php

@@ -304,5 +304,12 @@ $(document).ready(function() {
 </body>
 </html>
 <?php
+if (isset($_SESSION['mailcow_cc_api'])) {
+  session_regenerate_id(true);
+  session_unset();
+  session_destroy();
+  session_write_close();
+  header("Location: /");
+}
 $stmt = null;
 $pdo = null;

data/web/inc/triggers.inc.php

@@ -93,7 +93,7 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
 		fido2(array("action" => "unset_fido2_key", "post_data" => $_POST));
 	}
 }
-if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "admin") {
+if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "admin" && !isset($_SESSION['mailcow_cc_api'])) {
   // TODO: Move file upload to API?
 	if (isset($_POST["submit_main_logo"])) {
     if ($_FILES['main_logo']['error'] == 0) {