Prevent javascript XSS attacks aimed to steal the session ID

Signed-off-by: DL6ER <[email protected]>
pi-hole · Feb 3, 2021 · d4e46df · d4e46df
1 parent 22d7df9
commit d4e46df
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/scripts/pi-hole/php/auth.php b/scripts/pi-hole/php/auth.php
@@ -97,6 +97,11 @@ function check_csrf($token) {
         session_id() == "";
 
     if(!$session_started) {
+        // Start a new PHP session (or continue an existing one)
+        // Prevents javascript XSS attacks aimed to steal the session ID
+        ini_set('session.cookie_httponly', 1);
+        // Prevent Session ID from being passed through  URLs
+        ini_set('session.use_only_cookies', 1);
         session_start();
     }
 

diff --git a/scripts/pi-hole/php/password.php b/scripts/pi-hole/php/password.php
@@ -9,6 +9,10 @@
     require_once('func.php');
 
     // Start a new PHP session (or continue an existing one)
+    // Prevents javascript XSS attacks aimed to steal the session ID
+    ini_set('session.cookie_httponly', 1);
+    // Prevent Session ID from being passed through  URLs
+    ini_set('session.use_only_cookies', 1);
     session_start();
 
     // Read setupVars.conf file
@@ -39,7 +43,7 @@
     // Test if password is set
     if(strlen($pwhash) > 0)
     {
-        // Check for and authorize from persistent cookie 
+        // Check for and authorize from persistent cookie
         if (isset($_COOKIE["persistentlogin"]))
         {
             if (hash_equals($pwhash, $_COOKIE["persistentlogin"]))