use secure and httponly cookies by default, secure cookies can be switched off in Admin >> site configuration, if required for sitemgr

This commit is contained in:
Ralf Becker 2013-09-11 13:09:45 +00:00
parent 8c9f2a768e
commit dea0e0a81a
4 changed files with 31 additions and 5 deletions

View File

@ -536,6 +536,7 @@ url of the egroupware installation, eg. http://domain.com/egroupware admin de UR
usage admin de Einsatz
use cookies to pass sessionid admin de Sitzungs-ID in einem Cookie speichern
use pure html compliant code (not fully working yet) admin de Vollständig HTML kompatiblen Code verwenden (nicht vollständig implementiert)
use secure cookies (transmitted only via https) admin de Benutzer sichere Cookies (werden nur per https übertragen)
use theme admin de Benutztes Farbschema
user accounts admin de Benutzerkonten
user data common de Benutzerdaten

View File

@ -536,6 +536,7 @@ updated admin en Updated
url of the egroupware installation, eg. http://domain.com/egroupware admin en URL of the EGroupware installation, e.g. http://domain.com/egroupware
usage admin en Usage
use cookies to pass sessionid admin en Use cookies to pass session ID
use secure cookies (transmitted only via https) admin en Use secure cookies (transmitted only via https)
use pure html compliant code (not fully working yet) admin en Use pure HTML compliant code
use theme admin en Use theme
user accounts admin en User accounts

View File

@ -168,6 +168,16 @@
</tr>
<tr class="row_on">
<td>{lang_Use_secure_cookies_(transmitted_only_via_https)}</td>
<td>
<select name="newsettings[insecure_cookies]">
<option value="">{lang_Yes} - {lang_more_secure}</option>
<option value="insecure"{selected_insecure_cookies_insecure}>{lang_No}</option>
</select>
</td>
</tr>
<tr class="row_off">
<td>{lang_Deny_all_users_access_to_grant_other_users_access_to_their_entries_?}:</td>
<td>
<select name="newsettings[deny_user_grants_access]">

View File

@ -75,6 +75,12 @@ class egw_session
*/
const EGW_SESSION_NAME = 'sessionid';
/**
* Used mcrypt algorithm and mode
*/
const MCRYPT_ALGO = MCRYPT_RIJNDAEL_128;
const MCRYPT_MODE = MCRYPT_MODE_CBC;
/**
* current user login (account_lid@domain)
*
@ -366,11 +372,11 @@ class egw_session
*
* @param string $kp3 mcrypt key transported via cookie or get parameter like the session id,
* unlike the session id it's not know on the server, so only the client-request can decrypt the session!
* @param string $algo='tripledes'
* @param string $mode='ecb'
* @param string $algo=self::MCRYPT_ALGO
* @param string $mode=self::MCRYPT_MODE
* @return boolean true if encryption is used, false otherwise
*/
static private function init_crypt($kp3,$algo='tripledes',$mode='ecb')
static private function init_crypt($kp3,$algo=self::MCRYPT_ALGO,$mode=self::MCRYPT_MODE)
{
if(!$GLOBALS['egw_info']['server']['mcrypt_enabled'])
{
@ -1258,7 +1264,13 @@ class egw_session
}
if (self::ERROR_LOG_DEBUG) error_log(__METHOD__."($cookiename,$cookievalue,$cookietime,$cookiepath,".self::$cookie_domain.")");
$rv = setcookie($cookiename,$cookievalue,$cookietime,is_null($cookiepath) ? self::$cookie_path : $cookiepath,self::$cookie_domain);
if(!headers_sent()) // gives only a warning, but can not send the cookie anyway
{
$rv = setcookie($cookiename,$cookievalue,$cookietime,
is_null($cookiepath) ? self::$cookie_path : $cookiepath,self::$cookie_domain,
// if called via HTTPS, only send cookie for https and only allow cookie access via HTTP (true)
empty($GLOBALS['egw_info']['server']['insecure_cookies']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off', true);
}
//error_log(__METHOD__." $cookiename->$cookievalue".' returned:'.print_r($rv,true).print_r($_COOKIE,true));
}
@ -1294,7 +1306,9 @@ class egw_session
}
//echo "<p>cookie_path='self::$cookie_path', cookie_domain='self::$cookie_domain'</p>\n";
session_set_cookie_params(0,$path,$domain);
session_set_cookie_params(0, $path, $domain,
// if called via HTTPS, only send cookie for https and only allow cookie access via HTTP (true)
empty($GLOBALS['egw_info']['server']['insecure_cookies']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off', true);
}
/**