diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2008-09-13 00:49:22 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2008-09-13 00:49:22 +0200 |
| commit | f5c6743cf7fd971197b6ff56c658bd2457cbb02f (patch) | |
| tree | 3a284fdb44f1225121a3a8fe1be2921c647b8103 /inc | |
| parent | de9104dd6cb8aa34ab1fabb96a65606cd426c32b (diff) | |
| download | rpg-f5c6743cf7fd971197b6ff56c658bd2457cbb02f.tar.gz rpg-f5c6743cf7fd971197b6ff56c658bd2457cbb02f.tar.bz2 | |
more cookie security FS#1490
This patch adds the httponly option to the PHP session cookies and DokuWiki's
auth cookie when supported by the PHP version.
It also adds a new config option 'securecookie' which is enabled by default.
It makes sure the browser will not sent a cookie set via HTTPS over a
non-secured connection. This option has to be disabled for wikis that only
protect the login with SSL but not the whole wiki.
darcs-hash:20080912224922-7ad00-d5275147ba9d17a9f6defa8a51ca720da74ba8a0.gz
Diffstat (limited to 'inc')
| -rw-r--r-- | inc/auth.php | 13 | ||||
| -rw-r--r-- | inc/init.php | 26 |
2 files changed, 33 insertions, 6 deletions
diff --git a/inc/auth.php b/inc/auth.php index 8d6f48738..f9d48d0d6 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -135,7 +135,11 @@ function auth_login($user,$pass,$sticky=false,$silent=false){ $pass = PMA_blowfish_encrypt($pass,auth_cookiesalt()); $cookie = base64_encode("$user|$sticky|$pass"); if($sticky) $time = time()+60*60*24*365; //one year - setcookie(DOKU_COOKIE,$cookie,$time,DOKU_REL); + if (version_compare(PHP_VERSION, '5.2.0', '>')) { + setcookie(DOKU_COOKIE,$cookie,$time,DOKU_REL,'',($conf['securecookie'] && is_ssl()),true); + }else{ + setcookie(DOKU_COOKIE,$cookie,$time,DOKU_REL,'',($conf['securecookie'] && is_ssl())); + } // set session $_SESSION[DOKU_COOKIE]['auth']['user'] = $user; @@ -286,7 +290,12 @@ function auth_logoff(){ if(isset($_SERVER['REMOTE_USER'])) unset($_SERVER['REMOTE_USER']); $USERINFO=null; //FIXME - setcookie(DOKU_COOKIE,'',time()-600000,DOKU_REL); + + if (version_compare(PHP_VERSION, '5.2.0', '>')) { + setcookie(DOKU_COOKIE,'',time()-600000,DOKU_REL,($conf['securecookie'] && is_ssl()),true); + }else{ + setcookie(DOKU_COOKIE,'',time()-600000,DOKU_REL,($conf['securecookie'] && is_ssl())); + } if($auth && $auth->canDo('logoff')){ $auth->logOff(); diff --git a/inc/init.php b/inc/init.php index b01711e4b..5277206f6 100644 --- a/inc/init.php +++ b/inc/init.php @@ -114,7 +114,11 @@ // init session if (!headers_sent() && !defined('NOSESSION')){ session_name("DokuWiki"); - session_set_cookie_params(0, DOKU_REL); + if (version_compare(PHP_VERSION, '5.2.0', '>')) { + session_set_cookie_params(0,DOKU_REL,'',($conf['securecookie'] && is_ssl()),true); + }else{ + session_set_cookie_params(0,DOKU_REL,'',($conf['securecookie'] && is_ssl())); + } session_start(); } @@ -341,9 +345,7 @@ function getBaseURL($abs=null){ if(!$port) $port = $_SERVER['SERVER_PORT']; if(!$port) $port = 80; - // see if HTTPS is enabled - apache leaves this empty when not available, - // IIS sets it to 'off', 'false' and 'disabled' are just guessing - if (preg_match('/^(|off|false|disabled)$/i',$_SERVER['HTTPS'])){ + if(!is_ssl()){ $proto = 'http://'; if ($port == '80') { $port=''; @@ -361,6 +363,22 @@ function getBaseURL($abs=null){ } /** + * Check if accessed via HTTPS + * + * Apache leaves ,$_SERVER['HTTPS'] empty when not available, IIS sets it to 'off'. + * 'false' and 'disabled' are just guessing + * + * @returns bool true when SSL is active + */ +function is_ssl(){ + if (preg_match('/^(|off|false|disabled)$/i',$_SERVER['HTTPS'])){ + return false; + }else{ + return true; + } +} + +/** * Append a PHP extension to a given file and adds an exit call * * This is used to migrate some old configfiles. An added PHP extension |