Added cookie restrictions

README.md

@@ -9,9 +9,9 @@ Flux Control Panel (FluxCP) for rAthena servers.
 
 Requirements
 ---------
-* PHP 5.2
-* PDO and PDO-MYSQL extensions for PHP5 (including PHP_MYSQL support)
-* MySQL 5
+* PHP 7.3 or newer
+* PDO and PDO-MYSQL extensions for PHP (including PHP_MYSQL support)
+* MySQL 5 or newer
 * Optional: GD2 (for guild emblems and registration CAPTCHA)
 * Optional: Tidy (for cleaner HTML output)
 * Optional: mod_rewrite support for UseCleanUrls feature

config/application.php

@@ -4,6 +4,7 @@
 return array(
 	'ServerAddress'				=> 'localhost',				// This value is the hostname:port under which Flux runs. (e.g., example.com or example.com:80)
 	'BaseURI'					=> 'fluxcp',						// The base URI is the base web root on which your application lies.
+	'ForceHTTPS'				=> true,					// By default use HTTPS, you should only use HTTP, if you have no certificate available (Note: You may want to visit https://letsencrypt.org)
 	'InstallerPassword'			=> 'secretpassword',		// Installer/updater password.
 	'RequireOwnership'			=> true,					// Require the executing user to be owner of the FLUX_ROOT/data/ directory tree? (Better for security)
 															// WARNING: This will be mostly IGNORED on non-POSIX-compliant OSes (e.g. Windows).

index.php

@@ -1,5 +1,14 @@
 <?php
 
+if( version_compare( PHP_VERSION, '7.3.0', '<' ) ){
+	exit(
+		sprintf(
+			'FluxCP requires PHP 7.3.0 or higher. You are using PHP %s.',
+			PHP_VERSION
+		)
+	);
+}
+
 // Time started.
 define('__START__', microtime(true));
 
@@ -119,7 +128,25 @@
 
 	$sessionKey = Flux::config('SessionKey');
 	$sessionExpireDuration = Flux::config('SessionCookieExpire') * 60 * 60;
-	session_set_cookie_params($sessionExpireDuration, Flux::config('BaseURI'));
+
+	$cookie_options = array(
+		// Session timeout
+		'lifetime' => $sessionExpireDuration,
+		// Flux URL
+		'path' => Flux::config( 'BaseURI' ),
+		// Domain name for the cookie
+		'domain' => preg_replace( '/:\d+$/', '', Flux::config( 'ServerAddress' ) ), // Remove port number if present (e.g. "example.com:80")
+		// Only transfer the cookie via HTTPS
+		'secure' => Flux::config( 'ForceHTTPS' ),
+		// Only include the cookie in HTTP requests, making it inaccessible by Javascript
+		'httponly' => true,
+		// Only send the cookie to the domain+path defined above
+		'samesite' => 'Strict'
+	);
+
+	if( !session_set_cookie_params( $cookie_options ) ){
+		throw new Flux_Error( "Unable to configure the session cookie correctly" );
+	}
 	ini_set('session.gc_maxlifetime', $sessionExpireDuration);
 	ini_set('session.name', $sessionKey);
 	@session_start();

modules/install/index.php

@@ -23,12 +23,12 @@
 
 $minimumVersionCheck = [
 	'php' => [
-		'required' => '5.2.1',
-		'recommended' => '8.0.0'
+		'required' => '7.3.0',
+		'recommended' => '8.4.0'
 	],
 	'mysql' => [
 		'required' => '5.0.0',
-		'recommended' => '5.6.2'
+		'recommended' => '8.0.44'
 	]
 ];
 $sth = $server->connection->getStatement("SELECT VERSION() AS mysql_version, CURRENT_USER() AS mysql_user");