From f5c6743cf7fd971197b6ff56c658bd2457cbb02f Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sat, 13 Sep 2008 00:49:22 +0200 Subject: more cookie security FS#1490 This patch adds the httponly option to the PHP session cookies and DokuWiki's auth cookie when supported by the PHP version. It also adds a new config option 'securecookie' which is enabled by default. It makes sure the browser will not sent a cookie set via HTTPS over a non-secured connection. This option has to be disabled for wikis that only protect the login with SSL but not the whole wiki. darcs-hash:20080912224922-7ad00-d5275147ba9d17a9f6defa8a51ca720da74ba8a0.gz --- lib/plugins/config/lang/en/lang.php | 1 + lib/plugins/config/settings/config.metadata.php | 1 + 2 files changed, 2 insertions(+) (limited to 'lib/plugins') diff --git a/lib/plugins/config/lang/en/lang.php b/lib/plugins/config/lang/en/lang.php index c3c629450..864e79ee1 100644 --- a/lib/plugins/config/lang/en/lang.php +++ b/lib/plugins/config/lang/en/lang.php @@ -99,6 +99,7 @@ $lang['disableactions_wikicode'] = 'View source/Export Raw'; $lang['disableactions_other'] = 'Other actions (comma separated)'; $lang['sneaky_index'] = 'By default, DokuWiki will show all namespaces in the index view. Enabling this option will hide those where the user doesn\'t have read permissions. This might result in hiding of accessable subnamespaces. This may make the index unusable with certain ACL setups.'; $lang['auth_security_timeout'] = 'Authentication Security Timeout (seconds)'; +$lang['securecookie'] = 'Should cookies set via HTTPS only be sent via HTTPS by the browser? Disable this option when only the login of your wiki is secured with SSL but browsing the wiki is done unsecured.'; /* Advanced Options */ $lang['updatecheck'] = 'Check for updates and security warnings? DokuWiki needs to contact splitbrain.org for this feature.'; diff --git a/lib/plugins/config/settings/config.metadata.php b/lib/plugins/config/settings/config.metadata.php index bf987fe2d..4c86c2370 100644 --- a/lib/plugins/config/settings/config.metadata.php +++ b/lib/plugins/config/settings/config.metadata.php @@ -123,6 +123,7 @@ $meta['disableactions'] = array('disableactions', '_combine' => array('subscription' => array('subscribe','unsubscribe'), 'wikicode' => array('source','export_raw'), 'nssubscription' => array('subscribens','unsubscribens'))); $meta['sneaky_index'] = array('onoff'); $meta['auth_security_timeout'] = array('numeric'); +$meta['securecookie'] = array('onoff'); $meta['_anti_spam'] = array('fieldset'); $meta['usewordblock']= array('onoff'); -- cgit v1.2.3