Browsers rejecting Session Cookie with localhost domain
sgerlach opened this issue · comments
Describe the bug
When DVWA starts a session, code is currently setting HTTP_HOST as the domain in the session cookie. Browsers are rejecting this setting as an incorrect domain name. Should probably add a check to this section of code to unset the domain name if it's localhost
https://www.php.net/manual/en/function.setcookie.php#73107
To Reproduce
Steps to reproduce the behaviour:
- Install current DVWA on local system or in Docker environment
- Load http://localhost/login.php
- Observe the browser console error that indicates the cookie violates domain name policy and does not set the cookie
Expected behaviour
Session cookie should/must be set to be able to use DVWA.
What have you done to help fix the issue yourself?
Local code rewrite fixes this issue in development environment
System (please complete the following information):
- OS: Ubuntu
- Database and Version: MariaDB 10.5.18
- PHP Version 8.1
- Installed PHP modules - mysqli
Additional context
DVWA/dvwa/includes/dvwaPage.inc.php
Line 49 in 1ef8152
Code could probably look something like this
$maxlifetime = 86400;
$secure = false;
$domain = ($_SERVER['HTTP_HOST'] == 'localhost') ? false : $_SERVER['HTTP_HOST'];
session_set_cookie_params([
'lifetime' => $maxlifetime,
'path' => '/',
'domain' => $domain,
'secure' => $secure,
'httponly' => $httponly,
'samesite' => $samesite
]);
session_start();