From 37cc584ccdb3b39be3ae384098e95d42daa49081 Mon Sep 17 00:00:00 2001 From: boomzero Date: Sat, 27 Sep 2025 10:37:18 +0800 Subject: [PATCH 1/6] Fix: the PHPSESSID cookie is now httpOnly (#847) --- XMOJ.user.js | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/XMOJ.user.js b/XMOJ.user.js index aef69ff6..f184aba6 100644 --- a/XMOJ.user.js +++ b/XMOJ.user.js @@ -20,6 +20,7 @@ // @grant unsafeWindow // @grant GM_setValue // @grant GM_getValue +// @grant GM_cookie // @homepage https://www.xmoj-bbs.me/ // @supportURL https://support.xmoj-bbs.me/form/8050213e-c806-4680-b414-0d1c48263677 // @connect api.xmoj-bbs.tech @@ -479,6 +480,20 @@ let RequestAPI = (Action, Data, CallBack) => { Session = Temp[i].split("=")[1]; } } + if (Session === "") { //The cookie is httpOnly + GM.cookie.set({ + name: 'PHPSESSID', + value: Math.random().toString(36).substring(2, 15), + path: "/" + }) + .then(() => { + console.log('Reset PHPSESSID successfully.'); + location.reload(); //Refresh the page to auth with the new PHPSESSID + }) + .catch((error) => { + console.error(error); + }); + } let PostData = { "Authentication": { "SessionID": Session, "Username": CurrentUsername, @@ -1010,7 +1025,17 @@ async function main() { }); PopupUL.children[5].addEventListener("click", () => { clearCredential(); - document.cookie = "PHPSESSID=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/"; //This is how you remove a cookie? + GM.cookie.set({ + name: 'PHPSESSID', + value: Math.random().toString(36).substring(2, 15), + path: "/" + }) + .then(() => { + console.log('Reset PHPSESSID successfully.'); + }) + .catch((error) => { + console.error(error); + }); //We can no longer rely of the server to set the cookie for us location.href = "https://www.xmoj.tech/logout.php"; }); Array.from(PopupUL.children).forEach(item => { From 6f174b4099e77d120559b330bd613a23e737ffb5 Mon Sep 17 00:00:00 2001 From: boomzero Date: Sat, 27 Sep 2025 11:33:02 +0800 Subject: [PATCH 2/6] Change how we get a random PHPSESSID --- XMOJ.user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/XMOJ.user.js b/XMOJ.user.js index f184aba6..bfd20aae 100644 --- a/XMOJ.user.js +++ b/XMOJ.user.js @@ -483,7 +483,7 @@ let RequestAPI = (Action, Data, CallBack) => { if (Session === "") { //The cookie is httpOnly GM.cookie.set({ name: 'PHPSESSID', - value: Math.random().toString(36).substring(2, 15), + value: (Math.random().toString(36).slice(2) + Math.random().toString(36).slice(2) + Math.random().toString(36).slice(2)).substring(0, 28), path: "/" }) .then(() => { @@ -1027,7 +1027,7 @@ async function main() { clearCredential(); GM.cookie.set({ name: 'PHPSESSID', - value: Math.random().toString(36).substring(2, 15), + value: (Math.random().toString(36).slice(2) + Math.random().toString(36).slice(2) + Math.random().toString(36).slice(2)).substring(0, 28), path: "/" }) .then(() => { From b8d5922c9e12521702545a18dd3be39662ff241c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sat, 27 Sep 2025 03:35:36 +0000 Subject: [PATCH 3/6] 2.3.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index ce3e35b6..9f1ef8ea 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "xmoj-script", - "version": "2.3.0", + "version": "2.3.1", "description": "an improvement script for xmoj.tech", "main": "AddonScript.js", "scripts": { From e3e8db8aa80592880f8ec7b91821e13a8723f380 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sat, 27 Sep 2025 03:35:42 +0000 Subject: [PATCH 4/6] Update version info to 2.3.1 --- Update.json | 11 +++++++++++ XMOJ.user.js | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/Update.json b/Update.json index 4953be77..c98da902 100644 --- a/Update.json +++ b/Update.json @@ -3058,6 +3058,17 @@ } ], "Notes": "随着 CI 更新, 相信以后的 release 都会有 release notes(" + }, + "2.3.1": { + "UpdateDate": 1758944137297, + "Prerelease": true, + "UpdateContents": [ + { + "PR": 856, + "Description": "修复由于 PHPSESSID 启用了 httpOnly 导致的后台不可用" + } + ], + "Notes": "本版本修复了由于 PHPSESSID 启用了 httpOnly 导致的后台不可用" } } } \ No newline at end of file diff --git a/XMOJ.user.js b/XMOJ.user.js index bfd20aae..563eddf5 100644 --- a/XMOJ.user.js +++ b/XMOJ.user.js @@ -1,6 +1,6 @@ // ==UserScript== // @name XMOJ -// @version 2.3.0 +// @version 2.3.1 // @description XMOJ增强脚本 // @author @XMOJ-Script-dev, @langningchen and the community // @namespace https://github/langningchen From 8eb331537f7ee12853d68e2eafbe0257986539f9 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sat, 27 Sep 2025 03:36:24 +0000 Subject: [PATCH 5/6] Update time and description of 2.3.1 --- Update.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Update.json b/Update.json index c98da902..77649d27 100644 --- a/Update.json +++ b/Update.json @@ -3060,7 +3060,7 @@ "Notes": "随着 CI 更新, 相信以后的 release 都会有 release notes(" }, "2.3.1": { - "UpdateDate": 1758944137297, + "UpdateDate": 1758944178711, "Prerelease": true, "UpdateContents": [ { @@ -3068,7 +3068,7 @@ "Description": "修复由于 PHPSESSID 启用了 httpOnly 导致的后台不可用" } ], - "Notes": "本版本修复了由于 PHPSESSID 启用了 httpOnly 导致的后台不可用" + "Notes": "本版本修复了由于 PHPSESSID 启用了 httpOnly 导致的后台不可用\nThis fixes #847." } } } \ No newline at end of file From 71cb5405f72492c8fd3f268b42a5d8611d2cd186 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sat, 27 Sep 2025 03:36:50 +0000 Subject: [PATCH 6/6] Update time and description of 2.3.1 --- Update.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Update.json b/Update.json index 77649d27..72357a37 100644 --- a/Update.json +++ b/Update.json @@ -3060,7 +3060,7 @@ "Notes": "随着 CI 更新, 相信以后的 release 都会有 release notes(" }, "2.3.1": { - "UpdateDate": 1758944178711, + "UpdateDate": 1758944205783, "Prerelease": true, "UpdateContents": [ { @@ -3068,7 +3068,7 @@ "Description": "修复由于 PHPSESSID 启用了 httpOnly 导致的后台不可用" } ], - "Notes": "本版本修复了由于 PHPSESSID 启用了 httpOnly 导致的后台不可用\nThis fixes #847." + "Notes": "本版本修复了由于 PHPSESSID 启用了 httpOnly 导致的后台不可用" } } } \ No newline at end of file