[Web] make SameSite policy and cookie name configurable via vars.local.inc

2025-12-13 01:45:59 +00:00 · 2025-10-06 11:00:03 +02:00
parent 922d173540
commit 1ef0149076
2 changed files with 9 additions and 2 deletions
--- a/data/web/inc/sessions.inc.php
+++ b/data/web/inc/sessions.inc.php
@@ -1,9 +1,9 @@
 <?php
 // Start session
 if (session_status() !== PHP_SESSION_ACTIVE) {
-  session_name('MCSESSID');
+  session_name($SESSION_NAME);
  ini_set("session.cookie_httponly", 1);
-  ini_set("session.cookie_samesite", "Lax");
+  ini_set("session.cookie_samesite", $SESSION_SAMESITE_POLICY);
  ini_set('session.gc_maxlifetime', $SESSION_LIFETIME);
 }

--- a/data/web/inc/vars.inc.php
+++ b/data/web/inc/vars.inc.php
@@ -153,6 +153,13 @@ $LOG_PAGINATION_SIZE = 50;
 // Session lifetime in seconds
 $SESSION_LIFETIME = 10800;

+// Session SameSite Policy
+// Use "None", "Lax" or "Strict"
+$SESSION_SAMESITE_POLICY = "Lax";
+
+// Name of the session cookie
+$SESSION_NAME = "MCSESSID";
+
 // Label for OTP devices
 $OTP_LABEL = "mailcow UI";