forked from extern/egroupware
use secure and httponly cookies by default, secure cookies can be switched off in Admin >> site configuration, if required for sitemgr
This commit is contained in:
parent
cfd0923c97
commit
855c04cb2c
@ -624,6 +624,7 @@ url of the egroupware installation, eg. http://domain.com/egroupware admin de UR
|
|||||||
usage admin de Einsatz
|
usage admin de Einsatz
|
||||||
use cookies to pass sessionid admin de Sitzungs-ID in einem Cookie speichern
|
use cookies to pass sessionid admin de Sitzungs-ID in einem Cookie speichern
|
||||||
use pure html compliant code (not fully working yet) admin de Vollständig HTML kompatiblen Code verwenden (nicht vollständig implementiert)
|
use pure html compliant code (not fully working yet) admin de Vollständig HTML kompatiblen Code verwenden (nicht vollständig implementiert)
|
||||||
|
use secure cookies (transmitted only via https) admin de Benutzer sichere Cookies (werden nur per https übertragen)
|
||||||
use theme admin de Benutztes Farbschema
|
use theme admin de Benutztes Farbschema
|
||||||
user accounts admin de Benutzerkonten
|
user accounts admin de Benutzerkonten
|
||||||
user csv export admin de CSV Export von Benutzern
|
user csv export admin de CSV Export von Benutzern
|
||||||
|
@ -623,6 +623,7 @@ uppercase, lowercase, number, special char admin en Uppercase, lowercase, number
|
|||||||
url of the egroupware installation, eg. http://domain.com/egroupware admin en URL of the EGroupware installation, e.g. http://domain.com/egroupware
|
url of the egroupware installation, eg. http://domain.com/egroupware admin en URL of the EGroupware installation, e.g. http://domain.com/egroupware
|
||||||
usage admin en Usage
|
usage admin en Usage
|
||||||
use cookies to pass sessionid admin en Use cookies to pass session ID
|
use cookies to pass sessionid admin en Use cookies to pass session ID
|
||||||
|
use secure cookies (transmitted only via https) admin en Use secure cookies (transmitted only via https)
|
||||||
use pure html compliant code (not fully working yet) admin en Use pure HTML compliant code
|
use pure html compliant code (not fully working yet) admin en Use pure HTML compliant code
|
||||||
use theme admin en Use theme
|
use theme admin en Use theme
|
||||||
user accounts admin en User accounts
|
user accounts admin en User accounts
|
||||||
|
@ -75,6 +75,12 @@ class egw_session
|
|||||||
*/
|
*/
|
||||||
const EGW_SESSION_NAME = 'sessionid';
|
const EGW_SESSION_NAME = 'sessionid';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Used mcrypt algorithm and mode
|
||||||
|
*/
|
||||||
|
const MCRYPT_ALGO = MCRYPT_RIJNDAEL_128;
|
||||||
|
const MCRYPT_MODE = MCRYPT_MODE_CBC;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* current user login (account_lid@domain)
|
* current user login (account_lid@domain)
|
||||||
*
|
*
|
||||||
@ -369,11 +375,11 @@ class egw_session
|
|||||||
*
|
*
|
||||||
* @param string $kp3 mcrypt key transported via cookie or get parameter like the session id,
|
* @param string $kp3 mcrypt key transported via cookie or get parameter like the session id,
|
||||||
* unlike the session id it's not know on the server, so only the client-request can decrypt the session!
|
* unlike the session id it's not know on the server, so only the client-request can decrypt the session!
|
||||||
* @param string $algo='tripledes'
|
* @param string $algo=self::MCRYPT_ALGO
|
||||||
* @param string $mode='ecb'
|
* @param string $mode=self::MCRYPT_MODE
|
||||||
* @return boolean true if encryption is used, false otherwise
|
* @return boolean true if encryption is used, false otherwise
|
||||||
*/
|
*/
|
||||||
static private function init_crypt($kp3,$algo='tripledes',$mode='ecb')
|
static private function init_crypt($kp3,$algo=self::MCRYPT_ALGO,$mode=self::MCRYPT_MODE)
|
||||||
{
|
{
|
||||||
if(!$GLOBALS['egw_info']['server']['mcrypt_enabled'])
|
if(!$GLOBALS['egw_info']['server']['mcrypt_enabled'])
|
||||||
{
|
{
|
||||||
@ -1313,7 +1319,10 @@ class egw_session
|
|||||||
|
|
||||||
if(!headers_sent()) // gives only a warning, but can not send the cookie anyway
|
if(!headers_sent()) // gives only a warning, but can not send the cookie anyway
|
||||||
{
|
{
|
||||||
$rv = setcookie($cookiename,$cookievalue,$cookietime,is_null($cookiepath) ? self::$cookie_path : $cookiepath,self::$cookie_domain);
|
$rv = setcookie($cookiename,$cookievalue,$cookietime,
|
||||||
|
is_null($cookiepath) ? self::$cookie_path : $cookiepath,self::$cookie_domain,
|
||||||
|
// if called via HTTPS, only send cookie for https and only allow cookie access via HTTP (true)
|
||||||
|
empty($GLOBALS['egw_info']['server']['insecure_cookies']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off', true);
|
||||||
}
|
}
|
||||||
//error_log(__METHOD__." $cookiename->$cookievalue".' returned:'.print_r($rv,true).print_r($_COOKIE,true));
|
//error_log(__METHOD__." $cookiename->$cookievalue".' returned:'.print_r($rv,true).print_r($_COOKIE,true));
|
||||||
}
|
}
|
||||||
@ -1350,7 +1359,9 @@ class egw_session
|
|||||||
}
|
}
|
||||||
//echo "<p>cookie_path='self::$cookie_path', cookie_domain='self::$cookie_domain'</p>\n";
|
//echo "<p>cookie_path='self::$cookie_path', cookie_domain='self::$cookie_domain'</p>\n";
|
||||||
|
|
||||||
session_set_cookie_params(0,$path,$domain);
|
session_set_cookie_params(0, $path, $domain,
|
||||||
|
// if called via HTTPS, only send cookie for https and only allow cookie access via HTTP (true)
|
||||||
|
empty($GLOBALS['egw_info']['server']['insecure_cookies']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off', true);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
Loading…
Reference in New Issue
Block a user