fix cookies

conf/ldap/ldap.env

@@ -7,3 +7,4 @@ LDAP_FILTER="(&)"
 LDAP_UID="cn"
 
 HTTP_HOST=auth.example.com
+COOKIE_DOMAIN=example.com

src/web/helpers/auth.php

@@ -2,6 +2,32 @@
 
 $keys = array();
 
+function get_cookie() {
+	$cookie_name = 'X-LDAP-Auth-Key';
+	if(isset($_COOKIE[$cookie_name])) {
+		return $_COOKIE[$cookie_name];
+	} else {
+		return FALSE;
+	}
+}
+
+function store_cookie($key) {
+	$cookie_name = 'X-LDAP-Auth-Key';
+	$cookie_options = array (
+         'expires' => time() + 60*60*24*30,
+         'path' => '/',
+		 'domain' => getenv("COOKIE_DOMAIN"),
+		 'secure' => true,
+		 'httponly' => true,
+		 'samesite' => 'None'
+    );
+	setcookie(
+		$cookie_name,
+		$key,
+		$cookie_options
+	);
+}
+
 function load_key($key) {
 	$file = "/tmp/$key";
 	if (!file_exists($file))
@@ -34,10 +60,10 @@ function get_random($n)
 }
 
 function key_auth() {
-	if (!isset($_SESSION['auth'])) {
+	$key = get_cookie();
+	if ($key === FALSE) {
 		return FALSE;
 	}
-	$key = $_SESSION['auth'];
 	$data = load_key($key);
 	if ($data === FALSE) {
 		return FALSE;
@@ -55,5 +81,5 @@ function key_auth() {
 function key_new($user) {
 	$key = get_random(128);
 	store_key($key, $user);
-	$_SESSION['auth'] = $key;
+	store_cookie($key);
 }

src/web/index.php

@@ -10,15 +10,6 @@ require($webroot . '/helpers/ldap.php');
 require($webroot . '/helpers/auth.php');
 
 // start session
-session_set_cookie_params(
-	60 * 60 * 24, // lifetime (seconds),
-	'/', // path
-	NULL, // domain,
-	TRUE, // secure,
-	TRUE // http only
-);
-session_start();
-
 function page($file,  $data = array()) {
 	extract($data);
 	$webroot = $GLOBALS['webroot'];
@@ -56,8 +47,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
 	if ($_SERVER['REQUEST_URI'] !== '/login') {
 		// we are being forwarded authed
 		// redirect
-		http_response_code(301);
+		http_response_code(303);
-		header("Location: https://$env/login");
+		header("Location: http://$env/login");
 	} else {
 		page('login', array(
 			'title' => 'Login'