more cookie security FS#1490

This patch adds the httponly option to the PHP session cookies and DokuWiki's
auth cookie when supported by the PHP version.

It also adds a new config option 'securecookie' which is enabled by default.
It makes sure the browser will not sent a cookie set via HTTPS over a
non-secured connection. This option has to be disabled for wikis that only
protect the login with SSL but not the whole wiki.

darcs-hash:20080912224922-7ad00-d5275147ba9d17a9f6defa8a51ca720da74ba8a0.gz

1 files changed, 11 insertions, 2 deletions

diff --git a/inc/auth.php b/inc/auth.php
index 8d6f48738..f9d48d0d6 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -135,7 +135,11 @@ function auth_login($user,$pass,$sticky=false,$silent=false){
       $pass   = PMA_blowfish_encrypt($pass,auth_cookiesalt());
       $cookie = base64_encode("$user|$sticky|$pass");
       if($sticky) $time = time()+60*60*24*365; //one year
-      setcookie(DOKU_COOKIE,$cookie,$time,DOKU_REL);
+      if (version_compare(PHP_VERSION, '5.2.0', '>')) {
+          setcookie(DOKU_COOKIE,$cookie,$time,DOKU_REL,'',($conf['securecookie'] && is_ssl()),true);
+      }else{
+          setcookie(DOKU_COOKIE,$cookie,$time,DOKU_REL,'',($conf['securecookie'] && is_ssl()));
+      }
 
       // set session
       $_SESSION[DOKU_COOKIE]['auth']['user'] = $user;
@@ -286,7 +290,12 @@ function auth_logoff(){
   if(isset($_SERVER['REMOTE_USER']))
     unset($_SERVER['REMOTE_USER']);
   $USERINFO=null; //FIXME
-  setcookie(DOKU_COOKIE,'',time()-600000,DOKU_REL);
+
+  if (version_compare(PHP_VERSION, '5.2.0', '>')) {
+    setcookie(DOKU_COOKIE,'',time()-600000,DOKU_REL,($conf['securecookie'] && is_ssl()),true);
+  }else{
+    setcookie(DOKU_COOKIE,'',time()-600000,DOKU_REL,($conf['securecookie'] && is_ssl()));
+  }
 
   if($auth && $auth->canDo('logoff')){
     $auth->logOff();