Add additional PHP settings and cookie configurations (#164)

Add additional PHP settings and cookie configurations

---------

Co-authored-by: diegolamaral <[email protected]>

Author: Diogo-Rego

core/files/configure_misp.sh

@@ -219,6 +219,26 @@ set_up_aad() {
     sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
 }
 
+set_up_session() {
+    # Command to modify MISP session configuration
+    sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
+        \"Session\": {
+            \"timeout\": ${PHP_SESSION_TIMEOUT},
+            \"cookie_timeout\": ${PHP_SESSION_COOKIE_TIMEOUT},
+            \"defaults\": \"${PHP_SESSION_DEFAULTS}\",
+            \"autoRegenerate\": ${PHP_SESSION_AUTO_REGENERATE},
+            \"checkAgent\": ${PHP_SESSION_CHECK_AGENT},
+            \"ini\": {
+                \"session.cookie_secure\": ${PHP_SESSION_COOKIE_SECURE},
+                \"session.cookie_domain\": \"${PHP_SESSION_COOKIE_DOMAIN}\",
+                \"session.cookie_samesite\": \"${PHP_SESSION_COOKIE_SAMESITE}\"
+            }
+        }
+    }" > /dev/null
+
+    echo "... Session configured"
+}
+
 set_up_proxy() {
     if [[ "$PROXY_ENABLE" == "true" ]]; then
         echo "... configuring proxy settings"
@@ -411,6 +431,8 @@ echo "MISP | Set Up LDAP ..." && set_up_ldap
 
 echo "MISP | Set Up AAD ..." && set_up_aad
 
+echo "MISP | Set Up Session ..." && set_up_session
+
 echo "MISP | Set Up Proxy ..." && set_up_proxy
 
 echo "MISP | Mark instance live"

core/files/entrypoint.sh

@@ -45,6 +45,15 @@ export PHP_UPLOAD_MAX_FILESIZE=${PHP_UPLOAD_MAX_FILESIZE:-50M}
 export PHP_POST_MAX_SIZE=${PHP_POST_MAX_SIZE:-50M}
 export PHP_MAX_INPUT_TIME=${PHP_MAX_INPUT_TIME:-300}
 
+export PHP_SESSION_TIMEOUT=${PHP_SESSION_TIMEOUT:-60}
+export PHP_SESSION_COOKIE_TIMEOUT=${PHP_SESSION_COOKIE_TIMEOUT:-10080}
+export PHP_SESSION_DEFAULTS=${PHP_SESSION_DEFAULTS:-php}
+export PHP_SESSION_AUTO_REGENERATE=${PHP_SESSION_AUTO_REGENERATE:-false}
+export PHP_SESSION_CHECK_AGENT=${PHP_SESSION_CHECK_AGENT:-false}
+export PHP_SESSION_COOKIE_SECURE=${PHP_SESSION_COOKIE_SECURE:-true}
+export PHP_SESSION_COOKIE_DOMAIN=${PHP_SESSION_COOKIE_DOMAIN}
+export PHP_SESSION_COOKIE_SAMESITE=${PHP_SESSION_COOKIE_SAMESITE:-Lax}
+
 export NGINX_X_FORWARDED_FOR=${NGINX_X_FORWARDED_FOR:-false}
 export NGINX_SET_REAL_IP_FROM=${NGINX_SET_REAL_IP_FROM}
 

docker-compose.yml

@@ -193,11 +193,20 @@ services:
       - "PHP_UPLOAD_MAX_FILESIZE=${PHP_UPLOAD_MAX_FILESIZE:-50M}"
       - "PHP_POST_MAX_SIZE=${PHP_POST_MAX_SIZE:-50M}"
       - "PHP_MAX_INPUT_TIME:${PHP_MAX_INPUT_TIME:-300}"
+      # Additional PHP settings
+      - "PHP_SESSION_TIMEOUT=${PHP_SESSION_TIMEOUT:-60}"
+      - "PHP_SESSION_COOKIE_TIMEOUT=${PHP_SESSION_COOKIE_TIMEOUT:-10080}"
+      - "PHP_SESSION_DEFAULTS=${PHP_SESSION_DEFAULTS:-php}"
+      - "PHP_SESSION_AUTO_REGENERATE=${PHP_SESSION_AUTO_REGENERATE:-false}"
+      - "PHP_SESSION_CHECK_AGENT=${PHP_SESSION_CHECK_AGENT:-false}"
+      - "PHP_SESSION_COOKIE_SECURE=${PHP_SESSION_COOKIE_SECURE:-true}"
+      - "PHP_SESSION_COOKIE_DOMAIN=${PHP_SESSION_COOKIE_DOMAIN}"
+      - "PHP_SESSION_COOKIE_SAMESITE=${PHP_SESSION_COOKIE_SAMESITE:-Lax}"
       # Security Settings
       - "HSTS_MAX_AGE=${HSTS_MAX_AGE}"
       - "X_FRAME_OPTIONS=${X_FRAME_OPTIONS}"
       - "CONTENT_SECURITY_POLICY=${CONTENT_SECURITY_POLICY}"
-  
+
   misp-modules:
     image: ghcr.io/misp/misp-docker/misp-modules:${MODULES_RUNNING_TAG:-latest}
     build:

template.env

@@ -178,13 +178,38 @@ SYNCSERVERS_1_PULL_RULES=
 # FASTCGI_SEND_TIMEOUT=300s
 # FASTCGI_CONNECT_TIMEOUT=300s
 
-# PHP fpm configuration
+# PHP FPM configuration
+
+## Basic PHP settings
+# Maximum memory a PHP script can use.
 # PHP_MEMORY_LIMIT=2048M
+# Maximum execution time for a PHP script in seconds.
 # PHP_MAX_EXECUTION_TIME=300
+# Maximum file upload size for PHP scripts.
 # PHP_UPLOAD_MAX_FILESIZE=50M
+# Maximum size for POST data sent to PHP.
 # PHP_POST_MAX_SIZE=50M
+# Maximum time PHP spends parsing input data in seconds.
 # PHP_MAX_INPUT_TIME=300
 
+## Additional PHP settings
+# Timeout (in minutes) for user session inactivity before it expires.
+# PHP_SESSION_TIMEOUT=60
+# Session cookie validity period in minutes.
+# PHP_SESSION_COOKIE_TIMEOUT=10080
+# Default PHP configurations.
+# PHP_SESSION_DEFAULTS=php
+# Automatically regenerate session ID on each request.
+# PHP_SESSION_AUTO_REGENERATE=false
+# Check user agent on each request for security.
+# PHP_SESSION_CHECK_AGENT=false
+# Only send session cookies over HTTPS.
+# PHP_SESSION_COOKIE_SECURE=true
+# Domain for session cookie validity (leave empty for current domain).
+# PHP_SESSION_COOKIE_DOMAIN=
+# SameSite policy for cookies ("Lax" allows top-level navigation).
+# PHP_SESSION_COOKIE_SAMESITE=Lax
+
 # MariaSQL/MySQL (InnoDB) configuration
 # INNODB_BUFFER_POOL_SIZE=2048M
 # INNODB_CHANGE_BUFFERING=none