diff --git a/lam/lib/lists.inc b/lam/lib/lists.inc index e60d7dba..ea23a8b9 100644 --- a/lam/lib/lists.inc +++ b/lam/lib/lists.inc @@ -662,7 +662,7 @@ class lamList { $cookieValue .= $this->configOptions[$i]->getID() . "=" . $this->configOptions[$i]->getValue() . ';'; } // save options as cookie for one year - setcookie("ListOptions_" . $this->type, $cookieValue, time()+60*60*24*365, "/"); + setcookie("ListOptions_" . $this->type, $cookieValue, time()+60*60*24*365, "/", null, null, true); // notify subclasses $this->listConfigurationChanged(); } diff --git a/lam/lib/security.inc b/lam/lib/security.inc index 00b9a273..c5638052 100644 --- a/lam/lib/security.inc +++ b/lam/lib/security.inc @@ -157,8 +157,8 @@ function logoffAndBackToLoginPage() { } // delete key and iv in cookie if (function_exists('mcrypt_create_iv')) { - setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/"); - setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/"); + setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true); + setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true); } // link back to login page $paths = array('./', '../', '../../', '../../../', '../../../../'); diff --git a/lam/templates/config/conflogin.php b/lam/templates/config/conflogin.php index 1a3e6a63..d5538e02 100644 --- a/lam/templates/config/conflogin.php +++ b/lam/templates/config/conflogin.php @@ -39,6 +39,7 @@ include_once('../../lib/status.inc'); if (strtolower(session_module_name()) == 'files') { session_save_path(dirname(__FILE__) . '/../../sess'); } +session_set_cookie_params(0, '/', null, null, true); session_start(); session_regenerate_id(true); diff --git a/lam/templates/config/mainlogin.php b/lam/templates/config/mainlogin.php index 3bfc68a4..5c034d70 100644 --- a/lam/templates/config/mainlogin.php +++ b/lam/templates/config/mainlogin.php @@ -39,6 +39,7 @@ include_once('../../lib/status.inc'); if (strtolower(session_module_name()) == 'files') { session_save_path(dirname(__FILE__) . '/../../sess'); } +session_set_cookie_params(0, '/', null, null, true); session_start(); session_regenerate_id(true); diff --git a/lam/templates/login.php b/lam/templates/login.php index c480c1a4..0ebfd748 100644 --- a/lam/templates/login.php +++ b/lam/templates/login.php @@ -54,6 +54,7 @@ if (strtolower(session_module_name()) == 'files') { // start empty session and change ID for security reasons session_start(); session_destroy(); +session_set_cookie_params(0, '/', null, null, true); session_start(); session_regenerate_id(true); @@ -62,7 +63,7 @@ $profiles = getConfigProfiles(); // save last selected login profile if (isset($_GET['useProfile'])) { if (in_array($_GET['useProfile'], $profiles)) { - setcookie("lam_default_profile", $_GET['useProfile'], time() + 365*60*60*24); + setcookie("lam_default_profile", $_GET['useProfile'], time() + 365*60*60*24, '/', null, null, true); } else { unset($_GET['useProfile']); @@ -71,7 +72,7 @@ if (isset($_GET['useProfile'])) { // save last selected language if (isset($_POST['language'])) { - setcookie('lam_last_language', htmlspecialchars($_POST['language']), time() + 365*60*60*24); + setcookie('lam_last_language', htmlspecialchars($_POST['language']), time() + 365*60*60*24, '/', null, null, true); } // init some session variables @@ -166,8 +167,8 @@ function display_LoginPage($config_object, $cfgMain) { $iv = mcrypt_create_iv(32, MCRYPT_RAND); } // save both in cookie - setcookie("Key", base64_encode($key), 0, "/"); - setcookie("IV", base64_encode($iv), 0, "/"); + setcookie("Key", base64_encode($key), 0, "/", null, null, true); + setcookie("IV", base64_encode($iv), 0, "/", null, null, true); } $profiles = getConfigProfiles(); @@ -536,10 +537,10 @@ if(!empty($_POST['checklogin'])) { } else { if (isset($_POST['rememberLogin']) && ($_POST['rememberLogin'] == 'on')) { - setcookie('lam_login_name', $_POST['username'], time() + 60*60*24*365); + setcookie('lam_login_name', $_POST['username'], time() + 60*60*24*365, '/', null, null, true); } else if (isset($_COOKIE['lam_login_name']) && ($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH)) { - setcookie('lam_login_name', '', time() + 60*60*24*365); + setcookie('lam_login_name', '', time() + 60*60*24*365, '/', null, null, true); } if($_POST['passwd'] == "") { logNewMessage(LOG_DEBUG, "Empty password for login"); diff --git a/lam/templates/logout.php b/lam/templates/logout.php index 1f1555cf..a664f6f4 100644 --- a/lam/templates/logout.php +++ b/lam/templates/logout.php @@ -9,12 +9,12 @@ $Id$ it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA @@ -26,13 +26,13 @@ $Id$ * * @package main * @author Roland Gruber -*/ +*/ // delete key and iv in cookie if (function_exists('mcrypt_create_iv')) { - setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/"); - setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/"); + setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true); + setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true); } /** security functions */