holm/egroupware
1
1
Fork 0
forked from extern/egroupware
Code Issues Pull Requests Packages Projects Releases Wiki Activity

use secure and httponly cookies by default, secure cookies can be switched off in Admin >> site configuration, if required for sitemgr

Browse Source
This commit is contained in:
Ralf Becker 2013-09-11 13:06:00 +00:00
parent cfd0923c97
commit 855c04cb2c
3 changed files with 18 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
admin/lang/egw_de.lang
View File

@ -624,6 +624,7 @@ url of the egroupware installation, eg. http://domain.com/egroupware admin de UR
usage admin de Einsatz
use cookies to pass sessionid admin de Sitzungs-ID in einem Cookie speichern
use pure html compliant code (not fully working yet) admin de Vollständig HTML kompatiblen Code verwenden (nicht vollständig implementiert)
use secure cookies (transmitted only via https) admin de Benutzer sichere Cookies (werden nur per https übertragen)
use theme admin de Benutztes Farbschema
user accounts admin de Benutzerkonten
user csv export admin de CSV Export von Benutzern

1
admin/lang/egw_en.lang
View File

@ -623,6 +623,7 @@ uppercase, lowercase, number, special char admin en Uppercase, lowercase, number
url of the egroupware installation, eg. http://domain.com/egroupware admin en URL of the EGroupware installation, e.g. http://domain.com/egroupware
usage admin en Usage
use cookies to pass sessionid admin en Use cookies to pass session ID
use secure cookies (transmitted only via https) admin en Use secure cookies (transmitted only via https)
use pure html compliant code (not fully working yet) admin en Use pure HTML compliant code
use theme admin en Use theme
user accounts admin en User accounts

21
phpgwapi/inc/class.egw_session.inc.php
View File

@ -75,6 +75,12 @@ class egw_session
*/
const EGW_SESSION_NAME = 'sessionid';
/**
* Used mcrypt algorithm and mode
*/
const MCRYPT_ALGO = MCRYPT_RIJNDAEL_128;
const MCRYPT_MODE = MCRYPT_MODE_CBC;
/**
* current user login (account_lid@domain)
*
@ -369,11 +375,11 @@ class egw_session
*
* @param string $kp3 mcrypt key transported via cookie or get parameter like the session id,
* unlike the session id it's not know on the server, so only the client-request can decrypt the session!
* @param string $algo='tripledes'
* @param string $mode='ecb'
* @param string $algo=self::MCRYPT_ALGO
* @param string $mode=self::MCRYPT_MODE
* @return boolean true if encryption is used, false otherwise
*/
static private function init_crypt($kp3,$algo='tripledes',$mode='ecb')
static private function init_crypt($kp3,$algo=self::MCRYPT_ALGO,$mode=self::MCRYPT_MODE)
{
if(!$GLOBALS['egw_info']['server']['mcrypt_enabled'])
{
@ -1313,7 +1319,10 @@ class egw_session
if(!headers_sent()) // gives only a warning, but can not send the cookie anyway
{
$rv = setcookie($cookiename,$cookievalue,$cookietime,is_null($cookiepath) ? self::$cookie_path : $cookiepath,self::$cookie_domain);
$rv = setcookie($cookiename,$cookievalue,$cookietime,
is_null($cookiepath) ? self::$cookie_path : $cookiepath,self::$cookie_domain,
// if called via HTTPS, only send cookie for https and only allow cookie access via HTTP (true)
empty($GLOBALS['egw_info']['server']['insecure_cookies']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off', true);
}
//error_log(__METHOD__." $cookiename->$cookievalue".' returned:'.print_r($rv,true).print_r($_COOKIE,true));
}
@ -1350,7 +1359,9 @@ class egw_session
}
//echo "<p>cookie_path='self::$cookie_path', cookie_domain='self::$cookie_domain'</p>\n";
session_set_cookie_params(0,$path,$domain);
session_set_cookie_params(0, $path, $domain,
// if called via HTTPS, only send cookie for https and only allow cookie access via HTTP (true)
empty($GLOBALS['egw_info']['server']['insecure_cookies']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off', true);
}
/**