From e801eee6eefa6f982f50164b9180f661d71e5e05 Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Fri, 9 Jan 2026 16:23:09 -0500
Subject: [PATCH] feat: Add session security and fixation prevention

Session security improvements in AuthMiddleware:

1. Secure Cookie Configuration:
   - HttpOnly flag prevents JavaScript access to session cookies
   - Secure flag requires HTTPS (protects from MITM)
   - SameSite=Strict prevents CSRF via cookie inclusion
   - Strict mode rejects uninitialized session IDs

2. Session Fixation Prevention:
   - session_regenerate_id(true) called after successful authentication
   - Old session ID destroyed, new one generated
   - Prevents attacker from using pre-set session ID

3. CSRF Token Regeneration:
   - New CSRF token generated on login
   - Ensures fresh token for each session

These changes protect against session hijacking, fixation, and
cross-site attacks while maintaining existing 5-hour timeout.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 middleware/AuthMiddleware.php | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/middleware/AuthMiddleware.php b/middleware/AuthMiddleware.php
index ce345d1..0c77c4c 100644
--- a/middleware/AuthMiddleware.php
+++ b/middleware/AuthMiddleware.php
@@ -20,8 +20,14 @@ class AuthMiddleware {
      * @throws Exception if authentication fails
      */
     public function authenticate() {
-        // Start session if not already started
+        // Start session if not already started with secure settings
         if (session_status() === PHP_SESSION_NONE) {
+            // Configure secure session settings
+            ini_set('session.cookie_httponly', 1);
+            ini_set('session.cookie_secure', 1); // Requires HTTPS
+            ini_set('session.cookie_samesite', 'Strict');
+            ini_set('session.use_strict_mode', 1);
+
             session_start();
         }
 
@@ -66,10 +72,17 @@ class AuthMiddleware {
             throw new Exception("Failed to sync user from Authelia");
         }
 
+        // Regenerate session ID to prevent session fixation attacks
+        session_regenerate_id(true);
+
         // Store user in session
         $_SESSION['user'] = $user;
         $_SESSION['last_activity'] = time();
 
+        // Generate new CSRF token on login
+        require_once __DIR__ . '/CsrfMiddleware.php';
+        CsrfMiddleware::generateToken();
+
         return $user;
     }