LotusGuild/tinker_tickets
3
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add session security and fixation prevention

Browse Source 
Session security improvements in AuthMiddleware:

1. Secure Cookie Configuration:
   - HttpOnly flag prevents JavaScript access to session cookies
   - Secure flag requires HTTPS (protects from MITM)
   - SameSite=Strict prevents CSRF via cookie inclusion
   - Strict mode rejects uninitialized session IDs

2. Session Fixation Prevention:
   - session_regenerate_id(true) called after successful authentication
   - Old session ID destroyed, new one generated
   - Prevents attacker from using pre-set session ID

3. CSRF Token Regeneration:
   - New CSRF token generated on login
   - Ensures fresh token for each session

These changes protect against session hijacking, fixation, and
cross-site attacks while maintaining existing 5-hour timeout.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Jared Vititoe
2026-01-09 16:23:09 -05:00
parent 58f2e9d143
commit e801eee6ee
1 changed files with 14 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
middleware/AuthMiddleware.php
View File

@@ -20,8 +20,14 @@ class AuthMiddleware {
* @throws Exception if authentication fails
*/
public function authenticate() {
// Start session if not already started
// Start session if not already started with secure settings
if (session_status() === PHP_SESSION_NONE) {
// Configure secure session settings
ini_set('session.cookie_httponly', 1);
ini_set('session.cookie_secure', 1); // Requires HTTPS
ini_set('session.cookie_samesite', 'Strict');
ini_set('session.use_strict_mode', 1);
session_start();
}
@@ -66,10 +72,17 @@ class AuthMiddleware {
throw new Exception("Failed to sync user from Authelia");
}
// Regenerate session ID to prevent session fixation attacks
session_regenerate_id(true);
// Store user in session
$_SESSION['user'] = $user;
$_SESSION['last_activity'] = time();
// Generate new CSRF token on login
require_once __DIR__ . '/CsrfMiddleware.php';
CsrfMiddleware::generateToken();
return $user;
}