Axia4/public_html/_incl/tools.session.php at fd3576674cf3f7ac1e5b111b2a421ff27d4f9c47 - Axia4 - Git EuskadiTech

EuskadiTech/Axia4

Files

copilot-swe-agent[bot] ffb6b6ce45 Security: fix auth bypass, open redirects, cookie security, OAuth CSRF, and Sf() misuse

- Fix critical inverted authentication logic in tools.auth.php (password_verify was inverted)
- Fix broken Sf() misuse for username lookups (was always returning empty string)
- Add safe_username_to_filename() to tools.security.php for proper username handling
- Fix open redirect vulnerability in _login.php for all redirect targets
- Add HttpOnly, Secure, SameSite cookie flags to all setcookie() calls
- Add CSRF nonce to OAuth state parameter and verify it on callback
- Add session_regenerate_id(true) after successful login
- Remove redundant session_regenerate_id() from tools.session.php (was called on every request)
- Add authentication check to entreaulas/_filefetch.php
- Fix broken Sf() usage in entreaulas pages (aulario.php, comedor.php, diario.php, paneldiario.php, proyectos.php, api/comedor.php)
- Fix broken Sf() usage in sysadmin/users.php and sysadmin/reset_password.php

Co-authored-by: naielv <109038805+naielv@users.noreply.github.com>

2026-02-21 18:55:06 +00:00

5 lines

142 B

PHP

Raw Blame History

 <?php
 session_start([ 'cookie_lifetime' => 604800 ]);
 ini_set("session.use_only_cookies", "true");
 ini_set("session.use_trans_sid", "false");