Fixed local_secure_restricted preventing attachment uploads

[bookstack] / app / Config / session.php

diff --git a/app/Config/session.php b/app/Config/session.php
index 37f1627bb5f5c151ae01748cdc06b8f5c7e7eeb2..a00d758071201903b137d12d27a2581f7e481867 100644 (file)
--- a/app/Config/session.php
+++ b/app/Config/session.php
@@ -1,5 +1,7 @@
 <?php
 
 <?php
 

+use Illuminate\Support\Str;
+

 /**
  * Session configuration options.
  *
 /**
  * Session configuration options.
  *


@@ -57,7 +59,7 @@ return [
     // The session cookie path determines the path for which the cookie will
     // be regarded as available. Typically, this will be the root path of
     // your application but you are free to change this when necessary.
     // The session cookie path determines the path for which the cookie will
     // be regarded as available. Typically, this will be the root path of
     // your application but you are free to change this when necessary.

-    'path' => '/',
+    'path' => '/' . (explode('/', env('APP_URL', ''), 4)[3] ?? ''),

 
     // Session Cookie Domain
     // Here you may change the domain of the cookie used to identify a session
 
     // Session Cookie Domain
     // Here you may change the domain of the cookie used to identify a session


@@ -69,7 +71,8 @@ return [
     // By setting this option to true, session cookies will only be sent back
     // to the server if the browser has a HTTPS connection. This will keep
     // the cookie from being sent to you if it can not be done securely.
     // By setting this option to true, session cookies will only be sent back
     // to the server if the browser has a HTTPS connection. This will keep
     // the cookie from being sent to you if it can not be done securely.

-    'secure' => env('SESSION_SECURE_COOKIE', false),
+    'secure' => env('SESSION_SECURE_COOKIE', null)
+        ?? Str::startsWith(env('APP_URL', ''), 'https:'),

 
     // HTTP Access Only
     // Setting this value to true will prevent JavaScript from accessing the
 
     // HTTP Access Only
     // Setting this value to true will prevent JavaScript from accessing the


@@ -80,6 +83,6 @@ return [
     // This option determines how your cookies behave when cross-site requests
     // take place, and can be used to mitigate CSRF attacks. By default, we
     // do not enable this as other CSRF protection services are in place.
     // This option determines how your cookies behave when cross-site requests
     // take place, and can be used to mitigate CSRF attacks. By default, we
     // do not enable this as other CSRF protection services are in place.

-    // Options: lax, strict
-    'same_site' => null,
+    // Options: lax, strict, none
+    'same_site' => 'lax',

 ];
 ];