Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixed session/cookie and updated OpenEMR session/cookie strategy (ope…
…nemr#2524) Updated OpenEMR session/cookie strategy 1. If a session does not yet exist, then will start the OpenEMR session, which will create a cookie with OpenEMR name. If a session already exists, then this means portal is being used and will bypass setting of the OpenEMR session/cookie. 2. If using php version 7.3.0 or above, then will set the cookie_samesite in order to prevent csrf vulnerabilities. Setting it to Strict for now; if this is to strict on testing, then will instead set it to Lax. 3. Need to set cookie_httponly to false, since javascript needs to be able to access/modify the cookie to support separate logins into OpenEMR. This is important to support in OpenEMR since the application needs to robustly support access of separate patients via separate logins by same users. This is done via custom restore_session() javascript function; session IDs are effectively saved in the top level browser window. 4. Using use_strict_mode to optimize security. 5. Using sid_bits_per_character of 6 to optimize security. This does allow comma to be used in the session id, so need to ensure properly escape it when modify it in cookie. 6. Using sid_length of 48 to optimize security. 7. Setting gc_maxlifetime to 14400 since defaults for session.gc_maxlifetime is often too small. 8. Setting cookie_path to improve security when using different OpenEMR instances on same server to prevent session conflicts.
- Loading branch information