set cookie secure if forcessl is enabled

author Florian Pritz <bluewind@xinu.at>

Fri, 23 Sep 2011 11:52:10 +0000 (13:52 +0200)

committer Florian Pritz <bluewind@xinu.at>

Sat, 24 Sep 2011 16:42:00 +0000 (18:42 +0200)
author Florian Pritz <bluewind@xinu.at>
Fri, 23 Sep 2011 11:52:10 +0000 (13:52 +0200)
committer Florian Pritz <bluewind@xinu.at>
Sat, 24 Sep 2011 16:42:00 +0000 (18:42 +0200)
diff --git a/apps/user_openid/phpmyid.php b/apps/user_openid/phpmyid.php

index 09538b61ab16a3ffed0f97be75cd19d5cdf08286..5009fa410aac340ba46685375621ee86f9c52e78 100644 (file)
--- a/apps/user_openid/phpmyid.php
+++ b/apps/user_openid/phpmyid.php
@@ -1069,6 +1069,9 @@ function destroy_assoc_handle ( $id ) {
         session_write_close();
  
         session_id($id);
+       if (OC_Config::getValue( "forcessl", false )) {
+               ini_set("session.cookie_secure", "on");
+       }
         session_start();
         session_destroy();
  
@@ -1194,6 +1197,9 @@ function new_assoc ( $expiration ) {
                 session_write_close();
         }
  
+       if (OC_Config::getValue( "forcessl", false )) {
+               ini_set("session.cookie_secure", "on");
+       }
         session_start();
         session_regenerate_id('false');
  
@@ -1265,6 +1271,9 @@ function secret ( $handle ) {
         }
  
         session_id($handle);
+       if (OC_Config::getValue( "forcessl", false )) {
+               ini_set("session.cookie_secure", "on");
+       }
         session_start();
         debug('Started session to acquire key: ' . session_id());
  
@@ -1467,6 +1476,9 @@ function user_session () {
         global $proto, $profile;
  
         session_name('phpMyID_Server');
+       if (OC_Config::getValue( "forcessl", false )) {
+               ini_set("session.cookie_secure", "on");
+       }
         @session_start();
  
         $profile['authorized'] = (isset($_SESSION['auth_username'])
diff --git a/files/ajax/timezone.php b/files/ajax/timezone.php

index 93d06611a0d977fb830ad576feca1a0faaf632a7..8e1d2aa1ec132b37677ae99614b81154e23f3128 100644 (file)
--- a/files/ajax/timezone.php
+++ b/files/ajax/timezone.php
@@ -1,4 +1,6 @@
  <?php
+       // FIXME: this should start a secure session if forcessl is enabled
+       // see lib/base.php for an example
         session_start();
         $_SESSION['timezone'] = $_GET['time'];
-?>
-\ No newline at end of file
+?>
diff --git a/lib/base.php b/lib/base.php

index ec6b2e98df0182aaeb456db3c28cc60ad9892bc4..de2e7a36eeedc41f2b665ec1d86d54babe51e73b 100644 (file)
--- a/lib/base.php
+++ b/lib/base.php
@@ -80,8 +80,6 @@ class OC{
  
                 date_default_timezone_set('Europe/Berlin');
                 ini_set('arg_separator.output','&amp;');
-               ini_set('session.cookie_httponly','1;');
-               session_start();
  
                 // calculate the documentroot
                 OC::$DOCUMENTROOT=realpath($_SERVER['DOCUMENT_ROOT']);
@@ -102,6 +100,7 @@ class OC{
  
                 // redirect to https site if configured
                 if( OC_Config::getValue( "forcessl", false )){
+                       ini_set("session.cookie_secure", "on");
                         if(!isset($_SERVER['HTTPS']) or $_SERVER['HTTPS'] != 'on') {
                                 $url = "https://". $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
                                 header("Location: $url");
@@ -109,6 +108,9 @@ class OC{
                         }
                 }
  
+               ini_set('session.cookie_httponly','1;');
+               session_start();
+
                 // Add the stuff we need always
                 OC_Util::addScript( "jquery-1.6.4.min" );
                 OC_Util::addScript( "jquery-ui-1.8.14.custom.min" );
diff --git a/lib/user.php b/lib/user.php

index 3e73b2f10086ebacd59b21dbff337c6f9d5b3768..241d9aa8b1042c158b1829b307ff92e95a88768a 100644 (file)
--- a/lib/user.php
+++ b/lib/user.php
@@ -348,9 +348,10 @@ class OC_User {
          * @param string $username username to be set
          */
         public static function setMagicInCookie($username, $token){
-               setcookie("oc_username", $username, time()+60*60*24*15);
-               setcookie("oc_token", $token, time()+60*60*24*15);
-               setcookie("oc_remember_login", true, time()+60*60*24*15);
+               $secure_cookie = OC_Config::getValue("forcessl", false);
+               setcookie("oc_username", $username, time()+60*60*24*15, '', '', $secure_cookie);
+               setcookie("oc_token", $token, time()+60*60*24*15, '', '', $secure_cookie);
+               setcookie("oc_remember_login", true, time()+60*60*24*15, '', '', $secure_cookie);
         }
  
         /**
author	Florian Pritz <bluewind@xinu.at>
	Fri, 23 Sep 2011 11:52:10 +0000 (13:52 +0200)
committer	Florian Pritz <bluewind@xinu.at>
	Sat, 24 Sep 2011 16:42:00 +0000 (18:42 +0200)
apps/user_openid/phpmyid.php		patch \| blob \| history
files/ajax/timezone.php		patch \| blob \| history
lib/base.php		patch \| blob \| history
lib/user.php		patch \| blob \| history