mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-11-23 08:23:12 +01:00
use secure and httponly cookies by default, secure cookies can be switched off in Admin >> site configuration, if required for sitemgr
This commit is contained in:
parent
8c9f2a768e
commit
dea0e0a81a
@ -536,6 +536,7 @@ url of the egroupware installation, eg. http://domain.com/egroupware admin de UR
|
||||
usage admin de Einsatz
|
||||
use cookies to pass sessionid admin de Sitzungs-ID in einem Cookie speichern
|
||||
use pure html compliant code (not fully working yet) admin de Vollständig HTML kompatiblen Code verwenden (nicht vollständig implementiert)
|
||||
use secure cookies (transmitted only via https) admin de Benutzer sichere Cookies (werden nur per https übertragen)
|
||||
use theme admin de Benutztes Farbschema
|
||||
user accounts admin de Benutzerkonten
|
||||
user data common de Benutzerdaten
|
||||
|
@ -536,6 +536,7 @@ updated admin en Updated
|
||||
url of the egroupware installation, eg. http://domain.com/egroupware admin en URL of the EGroupware installation, e.g. http://domain.com/egroupware
|
||||
usage admin en Usage
|
||||
use cookies to pass sessionid admin en Use cookies to pass session ID
|
||||
use secure cookies (transmitted only via https) admin en Use secure cookies (transmitted only via https)
|
||||
use pure html compliant code (not fully working yet) admin en Use pure HTML compliant code
|
||||
use theme admin en Use theme
|
||||
user accounts admin en User accounts
|
||||
|
@ -168,6 +168,16 @@
|
||||
</tr>
|
||||
|
||||
<tr class="row_on">
|
||||
<td>{lang_Use_secure_cookies_(transmitted_only_via_https)}</td>
|
||||
<td>
|
||||
<select name="newsettings[insecure_cookies]">
|
||||
<option value="">{lang_Yes} - {lang_more_secure}</option>
|
||||
<option value="insecure"{selected_insecure_cookies_insecure}>{lang_No}</option>
|
||||
</select>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
<tr class="row_off">
|
||||
<td>{lang_Deny_all_users_access_to_grant_other_users_access_to_their_entries_?}:</td>
|
||||
<td>
|
||||
<select name="newsettings[deny_user_grants_access]">
|
||||
|
@ -75,6 +75,12 @@ class egw_session
|
||||
*/
|
||||
const EGW_SESSION_NAME = 'sessionid';
|
||||
|
||||
/**
|
||||
* Used mcrypt algorithm and mode
|
||||
*/
|
||||
const MCRYPT_ALGO = MCRYPT_RIJNDAEL_128;
|
||||
const MCRYPT_MODE = MCRYPT_MODE_CBC;
|
||||
|
||||
/**
|
||||
* current user login (account_lid@domain)
|
||||
*
|
||||
@ -366,11 +372,11 @@ class egw_session
|
||||
*
|
||||
* @param string $kp3 mcrypt key transported via cookie or get parameter like the session id,
|
||||
* unlike the session id it's not know on the server, so only the client-request can decrypt the session!
|
||||
* @param string $algo='tripledes'
|
||||
* @param string $mode='ecb'
|
||||
* @param string $algo=self::MCRYPT_ALGO
|
||||
* @param string $mode=self::MCRYPT_MODE
|
||||
* @return boolean true if encryption is used, false otherwise
|
||||
*/
|
||||
static private function init_crypt($kp3,$algo='tripledes',$mode='ecb')
|
||||
static private function init_crypt($kp3,$algo=self::MCRYPT_ALGO,$mode=self::MCRYPT_MODE)
|
||||
{
|
||||
if(!$GLOBALS['egw_info']['server']['mcrypt_enabled'])
|
||||
{
|
||||
@ -1258,7 +1264,13 @@ class egw_session
|
||||
}
|
||||
if (self::ERROR_LOG_DEBUG) error_log(__METHOD__."($cookiename,$cookievalue,$cookietime,$cookiepath,".self::$cookie_domain.")");
|
||||
|
||||
$rv = setcookie($cookiename,$cookievalue,$cookietime,is_null($cookiepath) ? self::$cookie_path : $cookiepath,self::$cookie_domain);
|
||||
if(!headers_sent()) // gives only a warning, but can not send the cookie anyway
|
||||
{
|
||||
$rv = setcookie($cookiename,$cookievalue,$cookietime,
|
||||
is_null($cookiepath) ? self::$cookie_path : $cookiepath,self::$cookie_domain,
|
||||
// if called via HTTPS, only send cookie for https and only allow cookie access via HTTP (true)
|
||||
empty($GLOBALS['egw_info']['server']['insecure_cookies']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off', true);
|
||||
}
|
||||
//error_log(__METHOD__." $cookiename->$cookievalue".' returned:'.print_r($rv,true).print_r($_COOKIE,true));
|
||||
}
|
||||
|
||||
@ -1294,7 +1306,9 @@ class egw_session
|
||||
}
|
||||
//echo "<p>cookie_path='self::$cookie_path', cookie_domain='self::$cookie_domain'</p>\n";
|
||||
|
||||
session_set_cookie_params(0,$path,$domain);
|
||||
session_set_cookie_params(0, $path, $domain,
|
||||
// if called via HTTPS, only send cookie for https and only allow cookie access via HTTP (true)
|
||||
empty($GLOBALS['egw_info']['server']['insecure_cookies']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off', true);
|
||||
}
|
||||
|
||||
/**
|
||||
|
Loading…
Reference in New Issue
Block a user