mark cookies HTTP only
This commit is contained in:
Roland Gruber
parent
b38bc8bc8a
commit
36f054b84e
|
|
@ -662,7 +662,7 @@ class lamList {
|
|||
$cookieValue .= $this->configOptions[$i]->getID() . "=" . $this->configOptions[$i]->getValue() . ';';
|
||||
}
|
||||
// save options as cookie for one year
|
||||
setcookie("ListOptions_" . $this->type, $cookieValue, time()+60*60*24*365, "/");
|
||||
setcookie("ListOptions_" . $this->type, $cookieValue, time()+60*60*24*365, "/", null, null, true);
|
||||
// notify subclasses
|
||||
$this->listConfigurationChanged();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -157,8 +157,8 @@ function logoffAndBackToLoginPage() {
|
|||
}
|
||||
// delete key and iv in cookie
|
||||
if (function_exists('mcrypt_create_iv')) {
|
||||
setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/");
|
||||
setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/");
|
||||
setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
|
||||
setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
|
||||
}
|
||||
// link back to login page
|
||||
$paths = array('./', '../', '../../', '../../../', '../../../../');
|
||||
|
|
|
|||
|
|
@ -39,6 +39,7 @@ include_once('../../lib/status.inc');
|
|||
if (strtolower(session_module_name()) == 'files') {
|
||||
session_save_path(dirname(__FILE__) . '/../../sess');
|
||||
}
|
||||
session_set_cookie_params(0, '/', null, null, true);
|
||||
session_start();
|
||||
session_regenerate_id(true);
|
||||
|
||||
|
|
|
|||
|
|
@ -39,6 +39,7 @@ include_once('../../lib/status.inc');
|
|||
if (strtolower(session_module_name()) == 'files') {
|
||||
session_save_path(dirname(__FILE__) . '/../../sess');
|
||||
}
|
||||
session_set_cookie_params(0, '/', null, null, true);
|
||||
session_start();
|
||||
session_regenerate_id(true);
|
||||
|
||||
|
|
|
|||
|
|
@ -54,6 +54,7 @@ if (strtolower(session_module_name()) == 'files') {
|
|||
// start empty session and change ID for security reasons
|
||||
session_start();
|
||||
session_destroy();
|
||||
session_set_cookie_params(0, '/', null, null, true);
|
||||
session_start();
|
||||
session_regenerate_id(true);
|
||||
|
||||
|
|
@ -62,7 +63,7 @@ $profiles = getConfigProfiles();
|
|||
// save last selected login profile
|
||||
if (isset($_GET['useProfile'])) {
|
||||
if (in_array($_GET['useProfile'], $profiles)) {
|
||||
setcookie("lam_default_profile", $_GET['useProfile'], time() + 365*60*60*24);
|
||||
setcookie("lam_default_profile", $_GET['useProfile'], time() + 365*60*60*24, '/', null, null, true);
|
||||
}
|
||||
else {
|
||||
unset($_GET['useProfile']);
|
||||
|
|
@ -71,7 +72,7 @@ if (isset($_GET['useProfile'])) {
|
|||
|
||||
// save last selected language
|
||||
if (isset($_POST['language'])) {
|
||||
setcookie('lam_last_language', htmlspecialchars($_POST['language']), time() + 365*60*60*24);
|
||||
setcookie('lam_last_language', htmlspecialchars($_POST['language']), time() + 365*60*60*24, '/', null, null, true);
|
||||
}
|
||||
|
||||
// init some session variables
|
||||
|
|
@ -166,8 +167,8 @@ function display_LoginPage($config_object, $cfgMain) {
|
|||
$iv = mcrypt_create_iv(32, MCRYPT_RAND);
|
||||
}
|
||||
// save both in cookie
|
||||
setcookie("Key", base64_encode($key), 0, "/");
|
||||
setcookie("IV", base64_encode($iv), 0, "/");
|
||||
setcookie("Key", base64_encode($key), 0, "/", null, null, true);
|
||||
setcookie("IV", base64_encode($iv), 0, "/", null, null, true);
|
||||
}
|
||||
|
||||
$profiles = getConfigProfiles();
|
||||
|
|
@ -536,10 +537,10 @@ if(!empty($_POST['checklogin'])) {
|
|||
}
|
||||
else {
|
||||
if (isset($_POST['rememberLogin']) && ($_POST['rememberLogin'] == 'on')) {
|
||||
setcookie('lam_login_name', $_POST['username'], time() + 60*60*24*365);
|
||||
setcookie('lam_login_name', $_POST['username'], time() + 60*60*24*365, '/', null, null, true);
|
||||
}
|
||||
else if (isset($_COOKIE['lam_login_name']) && ($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH)) {
|
||||
setcookie('lam_login_name', '', time() + 60*60*24*365);
|
||||
setcookie('lam_login_name', '', time() + 60*60*24*365, '/', null, null, true);
|
||||
}
|
||||
if($_POST['passwd'] == "") {
|
||||
logNewMessage(LOG_DEBUG, "Empty password for login");
|
||||
|
|
|
|||
|
|
@ -9,12 +9,12 @@ $Id$
|
|||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
|
|
@ -26,13 +26,13 @@ $Id$
|
|||
*
|
||||
* @package main
|
||||
* @author Roland Gruber
|
||||
*/
|
||||
*/
|
||||
|
||||
|
||||
// delete key and iv in cookie
|
||||
if (function_exists('mcrypt_create_iv')) {
|
||||
setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/");
|
||||
setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/");
|
||||
setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
|
||||
setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
|
||||
}
|
||||
|
||||
/** security functions */
|
||||
|
|
|
|||
Loading…
Reference in New Issue