feat: Add session security and fixation prevention

Session security improvements in AuthMiddleware: 1. Secure Cookie Configuration: - HttpOnly flag prevents JavaScript access to session cookies - Secure flag requires HTTPS (protects from MITM) - SameSite=Strict prevents CSRF via cookie inclusion - Strict mode rejects uninitialized session IDs 2. Session Fixation Prevention: - session_regenerate_id(true) called after successful authentication - Old session ID destroyed, new one generated - Prevents attacker from using pre-set session ID 3. CSRF Token Regeneration: - New CSRF token generated on login - Ensures fresh token for each session These changes protect against session hijacking, fixation, and cross-site attacks while maintaining existing 5-hour timeout. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-09 16:23:09 -05:00
parent 58f2e9d143
commit e801eee6ee
1 changed files with 14 additions and 1 deletions
--- a/middleware/AuthMiddleware.php
+++ b/middleware/AuthMiddleware.php
@@ -20,8 +20,14 @@ class AuthMiddleware {
     * @throws Exception if authentication fails
     */
    public function authenticate() {
-        // Start session if not already started
+        // Start session if not already started with secure settings
        if (session_status() === PHP_SESSION_NONE) {
            // Configure secure session settings
            ini_set('session.cookie_httponly', 1);
            ini_set('session.cookie_secure', 1); // Requires HTTPS
            ini_set('session.cookie_samesite', 'Strict');
            ini_set('session.use_strict_mode', 1);
            session_start();
        }
@@ -66,10 +72,17 @@ class AuthMiddleware {
            throw new Exception("Failed to sync user from Authelia");
        }
        // Regenerate session ID to prevent session fixation attacks
        session_regenerate_id(true);
        // Store user in session
        $_SESSION['user'] = $user;
        $_SESSION['last_activity'] = time();
        // Generate new CSRF token on login
        require_once __DIR__ . '/CsrfMiddleware.php';
        CsrfMiddleware::generateToken();
        return $user;
    }