diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2015-02-24 13:50:49 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2015-02-24 13:50:49 +0100 |
| commit | 276824299ce05250f497075b3153148a3040bdf3 (patch) | |
| tree | 05db4e409ed4d44407fa434a3db3a80a53a010b1 /lib | |
| parent | 65dcbccee0ca4acae1400a5135344bde61f09bea (diff) | |
| parent | a2e355a7fe99d094da79210ecf3fff4224f5a5df (diff) | |
| download | nextcloud-server-276824299ce05250f497075b3153148a3040bdf3.tar.gz nextcloud-server-276824299ce05250f497075b3153148a3040bdf3.zip | |
Merge pull request #13340 from owncloud/use-http-only
Use "HTTPOnly" for cookies when logging out
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/user/session.php | 23 |
1 files changed, 13 insertions, 10 deletions
diff --git a/lib/private/user/session.php b/lib/private/user/session.php index 0bc03f7b5e6..ead3a4f7a13 100644 --- a/lib/private/user/session.php +++ b/lib/private/user/session.php @@ -285,27 +285,30 @@ class Session implements IUserSession, Emitter { * @param string $token */ public function setMagicInCookie($username, $token) { - $secure_cookie = \OC_Config::getValue("forcessl", false); //TODO: DI for cookies and OC_Config + $secureCookie = \OC_Config::getValue("forcessl", false); //TODO: DI for cookies and OC_Config $expires = time() + \OC_Config::getValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15); - setcookie("oc_username", $username, $expires, \OC::$WEBROOT, '', $secure_cookie); - setcookie("oc_token", $token, $expires, \OC::$WEBROOT, '', $secure_cookie, true); - setcookie("oc_remember_login", "1", $expires, \OC::$WEBROOT, '', $secure_cookie); + setcookie("oc_username", $username, $expires, \OC::$WEBROOT, '', $secureCookie, true); + setcookie("oc_token", $token, $expires, \OC::$WEBROOT, '', $secureCookie, true); + setcookie("oc_remember_login", "1", $expires, \OC::$WEBROOT, '', $secureCookie, true); } /** * Remove cookie for "remember username" */ public function unsetMagicInCookie() { + //TODO: DI for cookies and OC_Config + $secureCookie = \OC_Config::getValue('forcessl', false); + unset($_COOKIE["oc_username"]); //TODO: DI unset($_COOKIE["oc_token"]); unset($_COOKIE["oc_remember_login"]); - setcookie('oc_username', '', time() - 3600, \OC::$WEBROOT); - setcookie('oc_token', '', time() - 3600, \OC::$WEBROOT); - setcookie('oc_remember_login', '', time() - 3600, \OC::$WEBROOT); + setcookie('oc_username', '', time() - 3600, \OC::$WEBROOT, '',$secureCookie, true); + setcookie('oc_token', '', time() - 3600, \OC::$WEBROOT, '', $secureCookie, true); + setcookie('oc_remember_login', '', time() - 3600, \OC::$WEBROOT, '', $secureCookie, true); // old cookies might be stored under /webroot/ instead of /webroot // and Firefox doesn't like it! - setcookie('oc_username', '', time() - 3600, \OC::$WEBROOT . '/'); - setcookie('oc_token', '', time() - 3600, \OC::$WEBROOT . '/'); - setcookie('oc_remember_login', '', time() - 3600, \OC::$WEBROOT . '/'); + setcookie('oc_username', '', time() - 3600, \OC::$WEBROOT . '/', '', $secureCookie, true); + setcookie('oc_token', '', time() - 3600, \OC::$WEBROOT . '/', '', $secureCookie, true); + setcookie('oc_remember_login', '', time() - 3600, \OC::$WEBROOT . '/', '', $secureCookie, true); } } |