Version 1.1.7 Improve Session Management

composer.lock

@@ -652,7 +652,7 @@
         },
         {
             "name": "symfony/event-dispatcher",
-            "version": "v3.4.10",
+            "version": "v3.4.11",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/event-dispatcher.git",
@@ -770,7 +770,7 @@
         },
         {
             "name": "symfony/yaml",
-            "version": "v2.8.40",
+            "version": "v2.8.41",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/yaml.git",

content/5_info/01-release-notes.md

@@ -2,6 +2,16 @@
 
 This is the version history with some release notes.
 
+## Version 1.1.7: Improved Session Management
+
+_Release date: 04.06.2018_
+
+**Please follow the instructions for minor updates** in the [documentation](/gettings-started/update). Please also update the Typemill theme.
+
+- URL to google sitemap is not displayed in settings.
+- Session Cookies are only set when authentication is required.
+- Added security headers for content security policy, refferers, strict transport.
+
 ## Version 1.1.6: Refactoring
 
 _Release date: 22.05.2018_

system/Controllers/Controller.php

@@ -27,7 +27,6 @@ abstract class Controller
 		if($this->c->request->getUri()->getScheme() == 'https')
 		{
 			$response = $response->withAddedHeader('Strict-Transport-Security', 'max-age=63072000');
-			$response = $response->withAddedHeader('Content-Security-Policy', 'default-src https:');
 		}
 			
 		$response = $response->withAddedHeader('X-Content-Type-Options', 'nosniff');

system/Settings.php

@@ -26,7 +26,7 @@ class Settings
 		
 		return [
 			'determineRouteBeforeAppMiddleware' 	=> true,
-			'displayErrorDetails' 					=> true,
+			'displayErrorDetails' 					=> false,
 			'title'									=> 'TYPEMILL',
 			'author'								=> 'Unknown',
 			'copyright'								=> 'Copyright',
@@ -43,7 +43,7 @@ class Settings
 			'contentFolder'							=> 'content',
 			'cache'									=> true,
 			'cachePath'								=> $rootPath . 'cache',
-			'version'								=> '1.1.6',
+			'version'								=> '1.1.7',
 			'setup'									=> true,
 			'welcome'								=> true
 		];

system/system.php

@@ -103,15 +103,15 @@ $container['assets'] = function($c)
 * 	DECIDE FOR SESSION	*
 ************************/
 
-$session_segments = array('setup/', 'tm/');
+$session_segments = array('setup', 'tm/', '/setup', '/tm/');
 $path = $container['request']->getUri()->getPath();
 $container['flash'] = false;
 $container['csrf'] = false;
 
 foreach($session_segments as $segment)
-{
+{	
 	if(substr( $path, 0, strlen($segment) ) === $segment)
-	{
+	{		
 		/* start a session */
 		ini_set( 'session.cookie_httponly', 1 );
 		ini_set('session.use_strict_mode', 1);
@@ -140,8 +140,6 @@ foreach($session_segments as $segment)
 		{
 			return new \Slim\Flash\Messages();
 		};
-				
-		break;
 	}
 }
 

themes/typemill/typemill.yaml

@@ -1,5 +1,5 @@
 name: Typemill Theme
-version: 1.0.7
+version: 1.0.8
 description: The standard theme for Typemill. Responsive, minimal and without any dependencies. It uses the system fonts Calibri and Helvetica. No JavaScript is used. 
 author: Sebastian Schürmanns
 homepage: http://typemill.net