From d06e938d0eee341dae6a8d2e23c38f71b6c88729 Mon Sep 17 00:00:00 2001 From: andryyy Date: Sun, 14 May 2017 21:54:18 +0200 Subject: [PATCH] Destroy session when invalid, use more compatible js path --- .../inc/lib/vendor/owasp/csrf-protector-php/libs/config.php | 4 ++-- data/web/inc/sessions.inc.php | 6 +++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/data/web/inc/lib/vendor/owasp/csrf-protector-php/libs/config.php b/data/web/inc/lib/vendor/owasp/csrf-protector-php/libs/config.php index b9833d64..3b9254e7 100755 --- a/data/web/inc/lib/vendor/owasp/csrf-protector-php/libs/config.php +++ b/data/web/inc/lib/vendor/owasp/csrf-protector-php/libs/config.php @@ -39,9 +39,9 @@ return array( "customErrorMessage" => "", "jsPath" => "../js/csrfprotector.js", // Fetching IS_HTTPS from sessions handler - "jsUrl" => get_trusted_hostname(), + "jsUrl" => "/inc/lib/vendor/owasp/csrf-protector-php/js/csrfprotector.js", "tokenLength" => 10, "secureCookie" => false, "disabledJavascriptMessage" => "", "verifyGetFor" => array() -); \ No newline at end of file +); diff --git a/data/web/inc/sessions.inc.php b/data/web/inc/sessions.inc.php index e6beb485..b6241839 100644 --- a/data/web/inc/sessions.inc.php +++ b/data/web/inc/sessions.inc.php @@ -54,5 +54,9 @@ function session_check() { return true; } if (isset($_SESSION['mailcow_cc_role']) && session_check() === false) { - exit("Invalid session"); + session_regenerate_id(true); + session_unset(); + session_destroy(); + session_write_close(); + header("Location: /"); }