use secure and httponly cookies by default, secure cookies can be switched off in Admin >> site configuration, if required for sitemgr

This commit is contained in:
Ralf Becker 2013-09-11 13:06:27 +00:00
parent ab9f1e32b0
commit 3c160e5062
3 changed files with 18 additions and 5 deletions

View File

@ -609,6 +609,7 @@ url of the egroupware installation, eg. http://domain.com/egroupware admin de UR
usage admin de Einsatz usage admin de Einsatz
use cookies to pass sessionid admin de Sitzungs-ID in einem Cookie speichern use cookies to pass sessionid admin de Sitzungs-ID in einem Cookie speichern
use pure html compliant code (not fully working yet) admin de Vollständig HTML kompatiblen Code verwenden (nicht vollständig implementiert) use pure html compliant code (not fully working yet) admin de Vollständig HTML kompatiblen Code verwenden (nicht vollständig implementiert)
use secure cookies (transmitted only via https) admin de Benutzer sichere Cookies (werden nur per https übertragen)
use theme admin de Benutztes Farbschema use theme admin de Benutztes Farbschema
user accounts admin de Benutzerkonten user accounts admin de Benutzerkonten
user csv export admin de CSV Export von Benutzern user csv export admin de CSV Export von Benutzern

View File

@ -616,6 +616,7 @@ uppercase, lowercase, number, special char admin en Uppercase, lowercase, number
url of the egroupware installation, eg. http://domain.com/egroupware admin en URL of the EGroupware installation, e.g. http://domain.com/egroupware url of the egroupware installation, eg. http://domain.com/egroupware admin en URL of the EGroupware installation, e.g. http://domain.com/egroupware
usage admin en Usage usage admin en Usage
use cookies to pass sessionid admin en Use cookies to pass session ID use cookies to pass sessionid admin en Use cookies to pass session ID
use secure cookies (transmitted only via https) admin en Use secure cookies (transmitted only via https)
use pure html compliant code (not fully working yet) admin en Use pure HTML compliant code use pure html compliant code (not fully working yet) admin en Use pure HTML compliant code
use theme admin en Use theme use theme admin en Use theme
user accounts admin en User accounts user accounts admin en User accounts

View File

@ -75,6 +75,12 @@ class egw_session
*/ */
const EGW_SESSION_NAME = 'sessionid'; const EGW_SESSION_NAME = 'sessionid';
/**
* Used mcrypt algorithm and mode
*/
const MCRYPT_ALGO = MCRYPT_RIJNDAEL_128;
const MCRYPT_MODE = MCRYPT_MODE_CBC;
/** /**
* current user login (account_lid@domain) * current user login (account_lid@domain)
* *
@ -365,11 +371,11 @@ class egw_session
* *
* @param string $kp3 mcrypt key transported via cookie or get parameter like the session id, * @param string $kp3 mcrypt key transported via cookie or get parameter like the session id,
* unlike the session id it's not know on the server, so only the client-request can decrypt the session! * unlike the session id it's not know on the server, so only the client-request can decrypt the session!
* @param string $algo='tripledes' * @param string $algo=self::MCRYPT_ALGO
* @param string $mode='ecb' * @param string $mode=self::MCRYPT_MODE
* @return boolean true if encryption is used, false otherwise * @return boolean true if encryption is used, false otherwise
*/ */
static private function init_crypt($kp3,$algo='tripledes',$mode='ecb') static private function init_crypt($kp3,$algo=self::MCRYPT_ALGO,$mode=self::MCRYPT_MODE)
{ {
if(!$GLOBALS['egw_info']['server']['mcrypt_enabled']) if(!$GLOBALS['egw_info']['server']['mcrypt_enabled'])
{ {
@ -1295,7 +1301,10 @@ class egw_session
if(!headers_sent()) // gives only a warning, but can not send the cookie anyway if(!headers_sent()) // gives only a warning, but can not send the cookie anyway
{ {
$rv = setcookie($cookiename,$cookievalue,$cookietime,is_null($cookiepath) ? self::$cookie_path : $cookiepath,self::$cookie_domain); $rv = setcookie($cookiename,$cookievalue,$cookietime,
is_null($cookiepath) ? self::$cookie_path : $cookiepath,self::$cookie_domain,
// if called via HTTPS, only send cookie for https and only allow cookie access via HTTP (true)
empty($GLOBALS['egw_info']['server']['insecure_cookies']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off', true);
} }
//error_log(__METHOD__." $cookiename->$cookievalue".' returned:'.print_r($rv,true).print_r($_COOKIE,true)); //error_log(__METHOD__." $cookiename->$cookievalue".' returned:'.print_r($rv,true).print_r($_COOKIE,true));
} }
@ -1332,7 +1341,9 @@ class egw_session
} }
//echo "<p>cookie_path='self::$cookie_path', cookie_domain='self::$cookie_domain'</p>\n"; //echo "<p>cookie_path='self::$cookie_path', cookie_domain='self::$cookie_domain'</p>\n";
session_set_cookie_params(0,$path,$domain); session_set_cookie_params(0, $path, $domain,
// if called via HTTPS, only send cookie for https and only allow cookie access via HTTP (true)
empty($GLOBALS['egw_info']['server']['insecure_cookies']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off', true);
} }
/** /**