- Fixed a problem when URL_BASE is empty and would cause the path to be added to the session cookie

meta/definitions/software.php

@@ -86,11 +86,11 @@ return [
 
     JavascriptMiddleware::class => create(JavascriptMiddleware::class),
 
-    Cookie::class => create(Cookie::class)->constructor([ 'secure' => true, 'path' => getenv('URL_BASE'),  ], getenv("LEAN_RANDOM")),
+    Cookie::class => create(Cookie::class)->constructor([ 'secure' => true, 'samesite' => 'Strict' ], getenv("LEAN_RANDOM")),
 
-    Session::class => create(Session::class)->constructor(get(Cookie::class), [ 'path' => getenv('URL_BASE'),  ]),
+    Session::class => create(Session::class),
 
-    SessionMiddleware::class => create(SessionMiddleware::class)->constructor(get(Cookie::class), [  'path' => getenv('URL_BASE'), 'name' => "lean_sess_" . substr(md5(getenv("LEAN_RANDOM")), 0, 12) ]),
+    SessionMiddleware::class => create(SessionMiddleware::class)->constructor(get(Cookie::class), [ 'name' => "lean_sess_" . substr(md5(getenv("LEAN_RANDOM")), 0, 12), 'path' => getenv('URL_BASE') ?: '/' ]),
 
     'git.commit' => function($c) {
         if ( getenv("DEBUG") ) {

src/ControllerTrait.php

@@ -67,6 +67,10 @@ trait ControllerTrait {
     }
 
     protected function redirect(string $url, int $code = 302, array $headers = []) {
+        if ($code === 302 && empty(array_change_key_case($headers, CASE_LOWER)['cache-control'])) {
+            $headers['cache-control'] = 'no-store';
+        }
+
         return new RedirectResponse($url, $code, $headers);
     }
 

src/Routing.php

@@ -97,6 +97,7 @@ class Routing {
                         }
 
                         if ( $forbidden = $this->security->taxus($class, $method, $object->user) ) {
+
                             return $forbidden;
                         }