From f5c6743cf7fd971197b6ff56c658bd2457cbb02f Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sat, 13 Sep 2008 00:49:22 +0200 Subject: more cookie security FS#1490 This patch adds the httponly option to the PHP session cookies and DokuWiki's auth cookie when supported by the PHP version. It also adds a new config option 'securecookie' which is enabled by default. It makes sure the browser will not sent a cookie set via HTTPS over a non-secured connection. This option has to be disabled for wikis that only protect the login with SSL but not the whole wiki. darcs-hash:20080912224922-7ad00-d5275147ba9d17a9f6defa8a51ca720da74ba8a0.gz --- inc/auth.php | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 8d6f48738..f9d48d0d6 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -135,7 +135,11 @@ function auth_login($user,$pass,$sticky=false,$silent=false){ $pass = PMA_blowfish_encrypt($pass,auth_cookiesalt()); $cookie = base64_encode("$user|$sticky|$pass"); if($sticky) $time = time()+60*60*24*365; //one year - setcookie(DOKU_COOKIE,$cookie,$time,DOKU_REL); + if (version_compare(PHP_VERSION, '5.2.0', '>')) { + setcookie(DOKU_COOKIE,$cookie,$time,DOKU_REL,'',($conf['securecookie'] && is_ssl()),true); + }else{ + setcookie(DOKU_COOKIE,$cookie,$time,DOKU_REL,'',($conf['securecookie'] && is_ssl())); + } // set session $_SESSION[DOKU_COOKIE]['auth']['user'] = $user; @@ -286,7 +290,12 @@ function auth_logoff(){ if(isset($_SERVER['REMOTE_USER'])) unset($_SERVER['REMOTE_USER']); $USERINFO=null; //FIXME - setcookie(DOKU_COOKIE,'',time()-600000,DOKU_REL); + + if (version_compare(PHP_VERSION, '5.2.0', '>')) { + setcookie(DOKU_COOKIE,'',time()-600000,DOKU_REL,($conf['securecookie'] && is_ssl()),true); + }else{ + setcookie(DOKU_COOKIE,'',time()-600000,DOKU_REL,($conf['securecookie'] && is_ssl())); + } if($auth && $auth->canDo('logoff')){ $auth->logOff(); -- cgit v1.2.3