extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2025-01-23 14:28:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

need to tell php session to use secure and httponly cookies too

Browse Source
This commit is contained in:
Ralf Becker 2013-09-11 12:39:53 +00:00
parent 26121ae3d4
commit ab9f1e32b0
1 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
setup/inc/class.setup.inc.php
View File

@ -165,21 +165,22 @@ class setup
* *
* @return string domain * @return string domain
*/ */
function set_cookiedomain() static function cookiedomain()
{ {
// Use HTTP_X_FORWARDED_HOST if set, which is the case behind a none-transparent proxy // Use HTTP_X_FORWARDED_HOST if set, which is the case behind a none-transparent proxy
$this->cookie_domain = isset($_SERVER['HTTP_X_FORWARDED_HOST']) ? $_SERVER['HTTP_X_FORWARDED_HOST'] : $_SERVER['HTTP_HOST']; $cookie_domain = isset($_SERVER['HTTP_X_FORWARDED_HOST']) ? $_SERVER['HTTP_X_FORWARDED_HOST'] : $_SERVER['HTTP_HOST'];
// remove port from HTTP_HOST // remove port from HTTP_HOST
if (preg_match("/^(.*):(.*)$/",$this->cookie_domain,$arr)) if (preg_match("/^(.*):(.*)$/",$cookie_domain,$arr))
{ {
$this->cookie_domain = $arr[1]; $cookie_domain = $arr[1];
} }
if (count(explode('.',$this->cookie_domain)) <= 1) if (count(explode('.',$cookie_domain)) <= 1)
{ {
// setcookie dont likes domains without dots, leaving it empty, gets setcookie to fill the domain in // setcookie dont likes domains without dots, leaving it empty, gets setcookie to fill the domain in
$this->cookie_domain = ''; $cookie_domain = '';
} }
return $cookie_domain;
} }
/** /**
@ -193,7 +194,7 @@ class setup
{ {
if(!isset($this->cookie_domain)) if(!isset($this->cookie_domain))
{ {
$this->set_cookiedomain(); $this->cookie_domain = self::cookiedomain();
} }
setcookie($cookiename, $cookievalue, $cookietime, '/', $this->cookie_domain, setcookie($cookiename, $cookievalue, $cookietime, '/', $this->cookie_domain,
// if called via HTTPS, only send cookie for https and only allow cookie access via HTTP (true) // if called via HTTPS, only send cookie for https and only allow cookie access via HTTP (true)
@ -244,6 +245,10 @@ class setup
ini_set('session.use_cookie', true); ini_set('session.use_cookie', true);
session_name(self::SESSIONID); session_name(self::SESSIONID);
session_set_cookie_params(0, '/', self::cookiedomain(),
// if called via HTTPS, only send cookie for https and only allow cookie access via HTTP (true)
!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off', true);
if (isset($_COOKIE[self::SESSIONID])) session_id($_COOKIE[self::SESSIONID]); if (isset($_COOKIE[self::SESSIONID])) session_id($_COOKIE[self::SESSIONID]);
return @session_start(); // suppress notice if session already started or warning in CLI return @session_start(); // suppress notice if session already started or warning in CLI
@ -319,7 +324,7 @@ class setup
$_SESSION['ConfigLang'] = self::get_lang(); $_SESSION['ConfigLang'] = self::get_lang();
$_SESSION['egw_last_action_time'] = time(); $_SESSION['egw_last_action_time'] = time();
session_regenerate_id(true); session_regenerate_id(true);
$this->set_cookie(self::SESSIONID, session_id(), 0);
return true; return true;
} }
//error_log(__METHOD__."('$auth_type') \$_COOKIE['".self::SESSIONID."'] = ".array2string($_COOKIE[self::SESSIONID]).", \$_SESSION=".array2string($_SESSION)); //error_log(__METHOD__."('$auth_type') \$_COOKIE['".self::SESSIONID."'] = ".array2string($_COOKIE[self::SESSIONID]).", \$_SESSION=".array2string($_SESSION));