From 3c518c48e6fedcdb2e25da3ebbaa581b157c8478 Mon Sep 17 00:00:00 2001 From: flashwave Date: Mon, 6 Jun 2022 16:57:45 +0200 Subject: [PATCH] Fixed cookies not being set correctly when running on a non-standard port. --- misuzu.php | 6 +++--- public/auth/login.php | 2 +- public/auth/logout.php | 2 +- public/auth/twofactor.php | 2 +- utility.php | 9 +++++++++ 5 files changed, 15 insertions(+), 6 deletions(-) diff --git a/misuzu.php b/misuzu.php index 9dbbe30e..ebe7137e 100644 --- a/misuzu.php +++ b/misuzu.php @@ -151,7 +151,7 @@ if(isset($_COOKIE['msz_uid']) && isset($_COOKIE['msz_sid'])) { ->setSessionToken(filter_input(INPUT_COOKIE, 'msz_sid') ?? ''); if($authToken->isValid()) - setcookie('msz_auth', $authToken->pack(), strtotime('1 year'), '/', '.' . $_SERVER['HTTP_HOST'], !empty($_SERVER['HTTPS']), true); + setcookie('msz_auth', $authToken->pack(), strtotime('1 year'), '/', msz_cookie_domain(), !empty($_SERVER['HTTPS']), true); setcookie('msz_uid', '', -3600, '/', '', !empty($_SERVER['HTTPS']), true); setcookie('msz_sid', '', -3600, '/', '', !empty($_SERVER['HTTPS']), true); @@ -173,7 +173,7 @@ if($authToken->isValid()) { $sessionInfo->bump(); if($sessionInfo->shouldBumpExpire()) - setcookie('msz_auth', $authToken->pack(), $sessionInfo->getExpiresTime(), '/', '.' . $_SERVER['HTTP_HOST'], !empty($_SERVER['HTTPS']), true); + setcookie('msz_auth', $authToken->pack(), $sessionInfo->getExpiresTime(), '/', msz_cookie_domain(), !empty($_SERVER['HTTPS']), true); } } } catch(UserNotFoundException $ex) { @@ -187,7 +187,7 @@ if($authToken->isValid()) { if(UserSession::hasCurrent()) { $userInfo->bumpActivity(); } else { - setcookie('msz_auth', '', -9001, '/', '.' . $_SERVER['HTTP_HOST'], !empty($_SERVER['HTTPS']), true); + setcookie('msz_auth', '', -9001, '/', msz_cookie_domain(), !empty($_SERVER['HTTPS']), true); setcookie('msz_auth', '', -9001, '/', '', !empty($_SERVER['HTTPS']), true); } } diff --git a/public/auth/login.php b/public/auth/login.php index 1b30e518..493377d5 100644 --- a/public/auth/login.php +++ b/public/auth/login.php @@ -118,7 +118,7 @@ while(!empty($_POST['login']) && is_array($_POST['login'])) { } $authToken = AuthToken::create($userInfo, $sessionInfo); - setcookie('msz_auth', $authToken->pack(), $sessionInfo->getExpiresTime(), '/', '.' . $_SERVER['HTTP_HOST'], !empty($_SERVER['HTTPS']), true); + setcookie('msz_auth', $authToken->pack(), $sessionInfo->getExpiresTime(), '/', msz_cookie_domain(), !empty($_SERVER['HTTPS']), true); if(!is_local_url($loginRedirect)) $loginRedirect = url('index'); diff --git a/public/auth/logout.php b/public/auth/logout.php index e7640aa3..c75e722d 100644 --- a/public/auth/logout.php +++ b/public/auth/logout.php @@ -12,7 +12,7 @@ if(!UserSession::hasCurrent()) { } if(CSRF::validateRequest()) { - setcookie('msz_auth', '', -9001, '/', '.' . $_SERVER['HTTP_HOST'], !empty($_SERVER['HTTPS']), true); + setcookie('msz_auth', '', -9001, '/', msz_cookie_domain(), !empty($_SERVER['HTTPS']), true); setcookie('msz_auth', '', -9001, '/', '', !empty($_SERVER['HTTPS']), true); UserSession::getCurrent()->delete(); UserSession::unsetCurrent(); diff --git a/public/auth/twofactor.php b/public/auth/twofactor.php index 761de491..af31b16c 100644 --- a/public/auth/twofactor.php +++ b/public/auth/twofactor.php @@ -84,7 +84,7 @@ while(!empty($twofactor)) { } $authToken = AuthToken::create($userInfo, $sessionInfo); - setcookie('msz_auth', $authToken->pack(), $sessionInfo->getExpiresTime(), '/', '.' . $_SERVER['HTTP_HOST'], !empty($_SERVER['HTTPS']), true); + setcookie('msz_auth', $authToken->pack(), $sessionInfo->getExpiresTime(), '/', msz_cookie_domain(), !empty($_SERVER['HTTPS']), true); if(!is_local_url($redirect)) { $redirect = url('index'); diff --git a/utility.php b/utility.php index a7a58d60..11f27db7 100644 --- a/utility.php +++ b/utility.php @@ -209,3 +209,12 @@ function msz_server_timing(\Index\Performance\Timings $timings): string { return sprintf('Server-Timing: %s', implode(', ', $timings)); } + +function msz_cookie_domain(bool $compatible = true): string { + $url = parse_url($_SERVER['HTTP_HOST'], PHP_URL_HOST); + + if(!filter_var($url, FILTER_VALIDATE_IP) && $compatible) + $url = '.' . $url; + + return $url; +}