From 0c76c4bee15d8b7bcbd907df0c1e1411f92308d1 Mon Sep 17 00:00:00 2001
From: Alex <40072887+alexdcrane@users.noreply.github.com>
Date: Fri, 3 Oct 2025 15:35:50 -0700
Subject: [PATCH] Add HttpOnly, Secure, and Samesite session settings to
 config.conf (#7548)

* Add HttpOnly, Secure, and Samesite session settings to config.conf

* Update upgrade_menu.php

* Update upgrade.php

* Update install.php
---
 core/install/resources/classes/install.php | 5 +++++
 core/upgrade/upgrade.php                   | 5 +++++
 core/upgrade/upgrade_menu.php              | 5 +++++
 resources/require.php                      | 6 +++---
 4 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/core/install/resources/classes/install.php b/core/install/resources/classes/install.php
index 221d7b4c38..5c9087cd60 100644
--- a/core/install/resources/classes/install.php
+++ b/core/install/resources/classes/install.php
@@ -126,6 +126,11 @@
 			$conf .= "php.dir = ".$php_dir."\n";
 			$conf .= "php.bin = php\n";
 			$conf .= "\n";
+			$conf .= "#session settings\n";
+			$conf .= "session.cookie_httponly = true\n";
+			$conf .= "session.cookie_secure = true\n";
+			$conf .= "session.cookie_samesite = Lax\n";
+			$conf .= "\n";
 			$conf .= "#cache settings\n";
 			$conf .= "cache.method = file\n";
 			$conf .= "cache.location = ".$cache_location."\n";
diff --git a/core/upgrade/upgrade.php b/core/upgrade/upgrade.php
index 06809178bb..8aff8e1200 100644
--- a/core/upgrade/upgrade.php
+++ b/core/upgrade/upgrade.php
@@ -112,6 +112,11 @@
 		$conf .= "php.dir = ".$php_dir."\n";
 		$conf .= "php.bin = php\n";
 		$conf .= "\n";
+		$conf .= "#session settings\n";
+		$conf .= "session.cookie_httponly = true\n";
+		$conf .= "session.cookie_secure = true\n";
+		$conf .= "session.cookie_samesite = Lax\n";
+		$conf .= "\n";
 		$conf .= "#cache settings\n";
 		$conf .= "cache.method = file\n";
 		$conf .= "cache.location = ".$cache_location."\n";
diff --git a/core/upgrade/upgrade_menu.php b/core/upgrade/upgrade_menu.php
index 05eb1f6f52..2e2a784ed0 100644
--- a/core/upgrade/upgrade_menu.php
+++ b/core/upgrade/upgrade_menu.php
@@ -534,6 +534,11 @@ function load_config_php() {
 	$conf .= "php.dir = " . PHP_BINDIR . "\n";
 	$conf .= "php.bin = php\n";
 	$conf .= "\n";
+	$conf .= "#session settings\n";
+	$conf .= "session.cookie_httponly = true\n";
+	$conf .= "session.cookie_secure = true\n";
+	$conf .= "session.cookie_samesite = Lax\n";
+	$conf .= "\n";
 	$conf .= "#cache settings\n";
 	$conf .= "cache.method = file\n";
 	$conf .= "cache.location = /var/cache/fusionpbx\n";
diff --git a/resources/require.php b/resources/require.php
index 855be2329c..71f46666b1 100644
--- a/resources/require.php
+++ b/resources/require.php
@@ -91,9 +91,9 @@
 //start the session if not using the command line
 	global $no_session;
 	if (!defined('STDIN') && empty($no_session)) {
-		ini_set('session.cookie_httponly', 'true');
-		ini_set('session.cookie_secure', 'true');
-		ini_set('session.cookie_samesite', 'Lax');
+		ini_set('session.cookie_httponly', !isset($conf['session.cookie_httponly']) ? 'true' : (!empty($config->get('session.cookie_httponly')) ? 'true' : 'false'));
+		ini_set('session.cookie_secure', !isset($conf['session.cookie_secure']) ? 'true' : (!empty($config->get('session.cookie_secure')) ? 'true' : 'false'));
+		ini_set('session.cookie_samesite', $config->get('session.cookie_samesite', 'Lax'));
 		session_start();
 	}