Branch: refs/heads/master
Home: https://github.com/s9y/Serendipity
Commit: f05303f58ccbdf4c82753b3119a37571f632ab35
https://github.com/s9y/Serendipity/commit/f05303f58ccbdf4c82753b3119a37571f632ab35
Author: onli <on...@pa...>
Date: 2025-10-09 (Thu, 09 Oct 2025)
Changed paths:
M docs/NEWS
M include/functions_config.inc.php
Log Message:
-----------
Rework of the XSRF token for longer duration (#919)
* Improve cookie security by setting samesite to strict by default
* Use a token from the db instead of the session id against CSRF
Allows for longer valid links without having to configure PHP's session lifetime
* Extend token duration on use if valdi for less than an hour
Prevents the scenarios that an old token is used to start an editing session, but then the token runs out and the user gets an error message.
* Strict equality check for token
Co-authored-by: Garvin Hicking <bl...@ga...>
* Fix $samesite parameter not being applied to cookie
* Use constant for XSRF token config key
* Delte XSRF token on logout
* Replace token when old instead of extending it
* Document changes
---------
Co-authored-by: Garvin Hicking <bl...@ga...>
To unsubscribe from these emails, change your notification settings at https://github.com/s9y/Serendipity/settings/notifications
|
