diff --git a/admin/lang/egw_de.lang b/admin/lang/egw_de.lang index 3666643a2a..f34074947c 100644 --- a/admin/lang/egw_de.lang +++ b/admin/lang/egw_de.lang @@ -624,6 +624,7 @@ url of the egroupware installation, eg. http://domain.com/egroupware admin de UR usage admin de Einsatz use cookies to pass sessionid admin de Sitzungs-ID in einem Cookie speichern use pure html compliant code (not fully working yet) admin de Vollständig HTML kompatiblen Code verwenden (nicht vollständig implementiert) +use secure cookies (transmitted only via https) admin de Benutzer sichere Cookies (werden nur per https übertragen) use theme admin de Benutztes Farbschema user accounts admin de Benutzerkonten user csv export admin de CSV Export von Benutzern diff --git a/admin/lang/egw_en.lang b/admin/lang/egw_en.lang index da86704ed0..be19134170 100644 --- a/admin/lang/egw_en.lang +++ b/admin/lang/egw_en.lang @@ -623,6 +623,7 @@ uppercase, lowercase, number, special char admin en Uppercase, lowercase, number url of the egroupware installation, eg. http://domain.com/egroupware admin en URL of the EGroupware installation, e.g. http://domain.com/egroupware usage admin en Usage use cookies to pass sessionid admin en Use cookies to pass session ID +use secure cookies (transmitted only via https) admin en Use secure cookies (transmitted only via https) use pure html compliant code (not fully working yet) admin en Use pure HTML compliant code use theme admin en Use theme user accounts admin en User accounts diff --git a/phpgwapi/inc/class.egw_session.inc.php b/phpgwapi/inc/class.egw_session.inc.php index e2b5ac8c11..ccfd51385d 100644 --- a/phpgwapi/inc/class.egw_session.inc.php +++ b/phpgwapi/inc/class.egw_session.inc.php @@ -75,6 +75,12 @@ class egw_session */ const EGW_SESSION_NAME = 'sessionid'; + /** + * Used mcrypt algorithm and mode + */ + const MCRYPT_ALGO = MCRYPT_RIJNDAEL_128; + const MCRYPT_MODE = MCRYPT_MODE_CBC; + /** * current user login (account_lid@domain) * @@ -369,11 +375,11 @@ class egw_session * * @param string $kp3 mcrypt key transported via cookie or get parameter like the session id, * unlike the session id it's not know on the server, so only the client-request can decrypt the session! - * @param string $algo='tripledes' - * @param string $mode='ecb' + * @param string $algo=self::MCRYPT_ALGO + * @param string $mode=self::MCRYPT_MODE * @return boolean true if encryption is used, false otherwise */ - static private function init_crypt($kp3,$algo='tripledes',$mode='ecb') + static private function init_crypt($kp3,$algo=self::MCRYPT_ALGO,$mode=self::MCRYPT_MODE) { if(!$GLOBALS['egw_info']['server']['mcrypt_enabled']) { @@ -1313,7 +1319,10 @@ class egw_session if(!headers_sent()) // gives only a warning, but can not send the cookie anyway { - $rv = setcookie($cookiename,$cookievalue,$cookietime,is_null($cookiepath) ? self::$cookie_path : $cookiepath,self::$cookie_domain); + $rv = setcookie($cookiename,$cookievalue,$cookietime, + is_null($cookiepath) ? self::$cookie_path : $cookiepath,self::$cookie_domain, + // if called via HTTPS, only send cookie for https and only allow cookie access via HTTP (true) + empty($GLOBALS['egw_info']['server']['insecure_cookies']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off', true); } //error_log(__METHOD__." $cookiename->$cookievalue".' returned:'.print_r($rv,true).print_r($_COOKIE,true)); } @@ -1350,7 +1359,9 @@ class egw_session } //echo "

cookie_path='self::$cookie_path', cookie_domain='self::$cookie_domain'

\n"; - session_set_cookie_params(0,$path,$domain); + session_set_cookie_params(0, $path, $domain, + // if called via HTTPS, only send cookie for https and only allow cookie access via HTTP (true) + empty($GLOBALS['egw_info']['server']['insecure_cookies']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off', true); } /**