diff options
| -rw-r--r-- | apps/user_openid/phpmyid.php | 12 | ||||
| -rw-r--r-- | files/ajax/timezone.php | 4 | ||||
| -rw-r--r-- | lib/base.php | 6 | ||||
| -rw-r--r-- | lib/user.php | 7 |
4 files changed, 23 insertions, 6 deletions
diff --git a/apps/user_openid/phpmyid.php b/apps/user_openid/phpmyid.php index 09538b61ab1..5009fa410aa 100644 --- a/apps/user_openid/phpmyid.php +++ b/apps/user_openid/phpmyid.php @@ -1069,6 +1069,9 @@ function destroy_assoc_handle ( $id ) { session_write_close(); session_id($id); + if (OC_Config::getValue( "forcessl", false )) { + ini_set("session.cookie_secure", "on"); + } session_start(); session_destroy(); @@ -1194,6 +1197,9 @@ function new_assoc ( $expiration ) { session_write_close(); } + if (OC_Config::getValue( "forcessl", false )) { + ini_set("session.cookie_secure", "on"); + } session_start(); session_regenerate_id('false'); @@ -1265,6 +1271,9 @@ function secret ( $handle ) { } session_id($handle); + if (OC_Config::getValue( "forcessl", false )) { + ini_set("session.cookie_secure", "on"); + } session_start(); debug('Started session to acquire key: ' . session_id()); @@ -1467,6 +1476,9 @@ function user_session () { global $proto, $profile; session_name('phpMyID_Server'); + if (OC_Config::getValue( "forcessl", false )) { + ini_set("session.cookie_secure", "on"); + } @session_start(); $profile['authorized'] = (isset($_SESSION['auth_username']) diff --git a/files/ajax/timezone.php b/files/ajax/timezone.php index 93d06611a0d..8e1d2aa1ec1 100644 --- a/files/ajax/timezone.php +++ b/files/ajax/timezone.php @@ -1,4 +1,6 @@ <?php + // FIXME: this should start a secure session if forcessl is enabled + // see lib/base.php for an example session_start(); $_SESSION['timezone'] = $_GET['time']; -?>
\ No newline at end of file +?> diff --git a/lib/base.php b/lib/base.php index ec6b2e98df0..de2e7a36eee 100644 --- a/lib/base.php +++ b/lib/base.php @@ -80,8 +80,6 @@ class OC{ date_default_timezone_set('Europe/Berlin'); ini_set('arg_separator.output','&'); - ini_set('session.cookie_httponly','1;'); - session_start(); // calculate the documentroot OC::$DOCUMENTROOT=realpath($_SERVER['DOCUMENT_ROOT']); @@ -102,6 +100,7 @@ class OC{ // redirect to https site if configured if( OC_Config::getValue( "forcessl", false )){ + ini_set("session.cookie_secure", "on"); if(!isset($_SERVER['HTTPS']) or $_SERVER['HTTPS'] != 'on') { $url = "https://". $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']; header("Location: $url"); @@ -109,6 +108,9 @@ class OC{ } } + ini_set('session.cookie_httponly','1;'); + session_start(); + // Add the stuff we need always OC_Util::addScript( "jquery-1.6.4.min" ); OC_Util::addScript( "jquery-ui-1.8.14.custom.min" ); diff --git a/lib/user.php b/lib/user.php index 3e73b2f1008..241d9aa8b10 100644 --- a/lib/user.php +++ b/lib/user.php @@ -348,9 +348,10 @@ class OC_User { * @param string $username username to be set */ public static function setMagicInCookie($username, $token){ - setcookie("oc_username", $username, time()+60*60*24*15); - setcookie("oc_token", $token, time()+60*60*24*15); - setcookie("oc_remember_login", true, time()+60*60*24*15); + $secure_cookie = OC_Config::getValue("forcessl", false); + setcookie("oc_username", $username, time()+60*60*24*15, '', '', $secure_cookie); + setcookie("oc_token", $token, time()+60*60*24*15, '', '', $secure_cookie); + setcookie("oc_remember_login", true, time()+60*60*24*15, '', '', $secure_cookie); } /** |