From f5c6743cf7fd971197b6ff56c658bd2457cbb02f Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sat, 13 Sep 2008 00:49:22 +0200 Subject: more cookie security FS#1490 This patch adds the httponly option to the PHP session cookies and DokuWiki's auth cookie when supported by the PHP version. It also adds a new config option 'securecookie' which is enabled by default. It makes sure the browser will not sent a cookie set via HTTPS over a non-secured connection. This option has to be disabled for wikis that only protect the login with SSL but not the whole wiki. darcs-hash:20080912224922-7ad00-d5275147ba9d17a9f6defa8a51ca720da74ba8a0.gz --- conf/dokuwiki.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'conf') diff --git a/conf/dokuwiki.php b/conf/dokuwiki.php index 03bf5e823..f1290ddd7 100644 --- a/conf/dokuwiki.php +++ b/conf/dokuwiki.php @@ -65,10 +65,11 @@ $conf['passcrypt'] = 'smd5'; //Used crypt method (smd5,md5,sha1,ssha $conf['defaultgroup']= 'user'; //Default groups new Users are added to $conf['superuser'] = '!!not set!!'; //The admin can be user or @group or comma separated list user1,@group1,user2 $conf['manager'] = '!!not set!!'; //The manager can be user or @group or comma separated list user1,@group1,user2 -$conf['profileconfirm'] = '1'; //Require current password to confirm changes to user profile +$conf['profileconfirm'] = 1; //Require current password to confirm changes to user profile $conf['disableactions'] = ''; //comma separated list of actions to disable $conf['sneaky_index'] = 0; //check for namespace read permission in index view (0|1) (1 might cause unexpected behavior) $conf['auth_security_timeout'] = 900; //time (seconds) auth data is considered valid, set to 0 to recheck on every page view +$conf['securecookie'] = 1; //never send HTTPS cookies via HTTP /* Advanced Options */ -- cgit v1.2.3