mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-11-25 09:23:28 +01:00
use secure and httponly cookies by default, secure cookies can be switched off in Admin >> site configuration, if required for sitemgr
This commit is contained in:
parent
cfd0923c97
commit
855c04cb2c
@ -624,6 +624,7 @@ url of the egroupware installation, eg. http://domain.com/egroupware admin de UR
|
||||
usage admin de Einsatz
|
||||
use cookies to pass sessionid admin de Sitzungs-ID in einem Cookie speichern
|
||||
use pure html compliant code (not fully working yet) admin de Vollständig HTML kompatiblen Code verwenden (nicht vollständig implementiert)
|
||||
use secure cookies (transmitted only via https) admin de Benutzer sichere Cookies (werden nur per https übertragen)
|
||||
use theme admin de Benutztes Farbschema
|
||||
user accounts admin de Benutzerkonten
|
||||
user csv export admin de CSV Export von Benutzern
|
||||
|
@ -623,6 +623,7 @@ uppercase, lowercase, number, special char admin en Uppercase, lowercase, number
|
||||
url of the egroupware installation, eg. http://domain.com/egroupware admin en URL of the EGroupware installation, e.g. http://domain.com/egroupware
|
||||
usage admin en Usage
|
||||
use cookies to pass sessionid admin en Use cookies to pass session ID
|
||||
use secure cookies (transmitted only via https) admin en Use secure cookies (transmitted only via https)
|
||||
use pure html compliant code (not fully working yet) admin en Use pure HTML compliant code
|
||||
use theme admin en Use theme
|
||||
user accounts admin en User accounts
|
||||
|
@ -75,6 +75,12 @@ class egw_session
|
||||
*/
|
||||
const EGW_SESSION_NAME = 'sessionid';
|
||||
|
||||
/**
|
||||
* Used mcrypt algorithm and mode
|
||||
*/
|
||||
const MCRYPT_ALGO = MCRYPT_RIJNDAEL_128;
|
||||
const MCRYPT_MODE = MCRYPT_MODE_CBC;
|
||||
|
||||
/**
|
||||
* current user login (account_lid@domain)
|
||||
*
|
||||
@ -369,11 +375,11 @@ class egw_session
|
||||
*
|
||||
* @param string $kp3 mcrypt key transported via cookie or get parameter like the session id,
|
||||
* unlike the session id it's not know on the server, so only the client-request can decrypt the session!
|
||||
* @param string $algo='tripledes'
|
||||
* @param string $mode='ecb'
|
||||
* @param string $algo=self::MCRYPT_ALGO
|
||||
* @param string $mode=self::MCRYPT_MODE
|
||||
* @return boolean true if encryption is used, false otherwise
|
||||
*/
|
||||
static private function init_crypt($kp3,$algo='tripledes',$mode='ecb')
|
||||
static private function init_crypt($kp3,$algo=self::MCRYPT_ALGO,$mode=self::MCRYPT_MODE)
|
||||
{
|
||||
if(!$GLOBALS['egw_info']['server']['mcrypt_enabled'])
|
||||
{
|
||||
@ -1313,7 +1319,10 @@ class egw_session
|
||||
|
||||
if(!headers_sent()) // gives only a warning, but can not send the cookie anyway
|
||||
{
|
||||
$rv = setcookie($cookiename,$cookievalue,$cookietime,is_null($cookiepath) ? self::$cookie_path : $cookiepath,self::$cookie_domain);
|
||||
$rv = setcookie($cookiename,$cookievalue,$cookietime,
|
||||
is_null($cookiepath) ? self::$cookie_path : $cookiepath,self::$cookie_domain,
|
||||
// if called via HTTPS, only send cookie for https and only allow cookie access via HTTP (true)
|
||||
empty($GLOBALS['egw_info']['server']['insecure_cookies']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off', true);
|
||||
}
|
||||
//error_log(__METHOD__." $cookiename->$cookievalue".' returned:'.print_r($rv,true).print_r($_COOKIE,true));
|
||||
}
|
||||
@ -1350,7 +1359,9 @@ class egw_session
|
||||
}
|
||||
//echo "<p>cookie_path='self::$cookie_path', cookie_domain='self::$cookie_domain'</p>\n";
|
||||
|
||||
session_set_cookie_params(0,$path,$domain);
|
||||
session_set_cookie_params(0, $path, $domain,
|
||||
// if called via HTTPS, only send cookie for https and only allow cookie access via HTTP (true)
|
||||
empty($GLOBALS['egw_info']['server']['insecure_cookies']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off', true);
|
||||
}
|
||||
|
||||
/**
|
||||
|
Loading…
Reference in New Issue
Block a user