diff options
author | Andreas Gohr <andi@splitbrain.org> | 2008-09-13 00:49:22 +0200 |
---|---|---|
committer | Andreas Gohr <andi@splitbrain.org> | 2008-09-13 00:49:22 +0200 |
commit | f5c6743cf7fd971197b6ff56c658bd2457cbb02f (patch) | |
tree | 3a284fdb44f1225121a3a8fe1be2921c647b8103 /conf | |
parent | de9104dd6cb8aa34ab1fabb96a65606cd426c32b (diff) | |
download | rpg-f5c6743cf7fd971197b6ff56c658bd2457cbb02f.tar.gz rpg-f5c6743cf7fd971197b6ff56c658bd2457cbb02f.tar.bz2 |
more cookie security FS#1490
This patch adds the httponly option to the PHP session cookies and DokuWiki's
auth cookie when supported by the PHP version.
It also adds a new config option 'securecookie' which is enabled by default.
It makes sure the browser will not sent a cookie set via HTTPS over a
non-secured connection. This option has to be disabled for wikis that only
protect the login with SSL but not the whole wiki.
darcs-hash:20080912224922-7ad00-d5275147ba9d17a9f6defa8a51ca720da74ba8a0.gz
Diffstat (limited to 'conf')
-rw-r--r-- | conf/dokuwiki.php | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/conf/dokuwiki.php b/conf/dokuwiki.php index 03bf5e823..f1290ddd7 100644 --- a/conf/dokuwiki.php +++ b/conf/dokuwiki.php @@ -65,10 +65,11 @@ $conf['passcrypt'] = 'smd5'; //Used crypt method (smd5,md5,sha1,ssha $conf['defaultgroup']= 'user'; //Default groups new Users are added to $conf['superuser'] = '!!not set!!'; //The admin can be user or @group or comma separated list user1,@group1,user2 $conf['manager'] = '!!not set!!'; //The manager can be user or @group or comma separated list user1,@group1,user2 -$conf['profileconfirm'] = '1'; //Require current password to confirm changes to user profile +$conf['profileconfirm'] = 1; //Require current password to confirm changes to user profile $conf['disableactions'] = ''; //comma separated list of actions to disable $conf['sneaky_index'] = 0; //check for namespace read permission in index view (0|1) (1 might cause unexpected behavior) $conf['auth_security_timeout'] = 900; //time (seconds) auth data is considered valid, set to 0 to recheck on every page view +$conf['securecookie'] = 1; //never send HTTPS cookies via HTTP /* Advanced Options */ |