Destroy session when invalid, use more compatible js path

master
andryyy 2017-05-14 21:54:18 +02:00
parent e795898b80
commit d06e938d0e
2 changed files with 7 additions and 3 deletions

View File

@ -39,7 +39,7 @@ return array(
"customErrorMessage" => "", "customErrorMessage" => "",
"jsPath" => "../js/csrfprotector.js", "jsPath" => "../js/csrfprotector.js",
// Fetching IS_HTTPS from sessions handler // Fetching IS_HTTPS from sessions handler
"jsUrl" => get_trusted_hostname(), "jsUrl" => "/inc/lib/vendor/owasp/csrf-protector-php/js/csrfprotector.js",
"tokenLength" => 10, "tokenLength" => 10,
"secureCookie" => false, "secureCookie" => false,
"disabledJavascriptMessage" => "", "disabledJavascriptMessage" => "",

View File

@ -54,5 +54,9 @@ function session_check() {
return true; return true;
} }
if (isset($_SESSION['mailcow_cc_role']) && session_check() === false) { if (isset($_SESSION['mailcow_cc_role']) && session_check() === false) {
exit("Invalid session"); session_regenerate_id(true);
session_unset();
session_destroy();
session_write_close();
header("Location: /");
} }