mark cookies HTTP only

This commit is contained in:
Roland Gruber 2015-12-19 09:12:47 +00:00
parent b38bc8bc8a
commit 36f054b84e
6 changed files with 17 additions and 14 deletions

View File

@ -662,7 +662,7 @@ class lamList {
$cookieValue .= $this->configOptions[$i]->getID() . "=" . $this->configOptions[$i]->getValue() . ';'; $cookieValue .= $this->configOptions[$i]->getID() . "=" . $this->configOptions[$i]->getValue() . ';';
} }
// save options as cookie for one year // save options as cookie for one year
setcookie("ListOptions_" . $this->type, $cookieValue, time()+60*60*24*365, "/"); setcookie("ListOptions_" . $this->type, $cookieValue, time()+60*60*24*365, "/", null, null, true);
// notify subclasses // notify subclasses
$this->listConfigurationChanged(); $this->listConfigurationChanged();
} }

View File

@ -157,8 +157,8 @@ function logoffAndBackToLoginPage() {
} }
// delete key and iv in cookie // delete key and iv in cookie
if (function_exists('mcrypt_create_iv')) { if (function_exists('mcrypt_create_iv')) {
setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/"); setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/"); setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
} }
// link back to login page // link back to login page
$paths = array('./', '../', '../../', '../../../', '../../../../'); $paths = array('./', '../', '../../', '../../../', '../../../../');

View File

@ -39,6 +39,7 @@ include_once('../../lib/status.inc');
if (strtolower(session_module_name()) == 'files') { if (strtolower(session_module_name()) == 'files') {
session_save_path(dirname(__FILE__) . '/../../sess'); session_save_path(dirname(__FILE__) . '/../../sess');
} }
session_set_cookie_params(0, '/', null, null, true);
session_start(); session_start();
session_regenerate_id(true); session_regenerate_id(true);

View File

@ -39,6 +39,7 @@ include_once('../../lib/status.inc');
if (strtolower(session_module_name()) == 'files') { if (strtolower(session_module_name()) == 'files') {
session_save_path(dirname(__FILE__) . '/../../sess'); session_save_path(dirname(__FILE__) . '/../../sess');
} }
session_set_cookie_params(0, '/', null, null, true);
session_start(); session_start();
session_regenerate_id(true); session_regenerate_id(true);

View File

@ -54,6 +54,7 @@ if (strtolower(session_module_name()) == 'files') {
// start empty session and change ID for security reasons // start empty session and change ID for security reasons
session_start(); session_start();
session_destroy(); session_destroy();
session_set_cookie_params(0, '/', null, null, true);
session_start(); session_start();
session_regenerate_id(true); session_regenerate_id(true);
@ -62,7 +63,7 @@ $profiles = getConfigProfiles();
// save last selected login profile // save last selected login profile
if (isset($_GET['useProfile'])) { if (isset($_GET['useProfile'])) {
if (in_array($_GET['useProfile'], $profiles)) { if (in_array($_GET['useProfile'], $profiles)) {
setcookie("lam_default_profile", $_GET['useProfile'], time() + 365*60*60*24); setcookie("lam_default_profile", $_GET['useProfile'], time() + 365*60*60*24, '/', null, null, true);
} }
else { else {
unset($_GET['useProfile']); unset($_GET['useProfile']);
@ -71,7 +72,7 @@ if (isset($_GET['useProfile'])) {
// save last selected language // save last selected language
if (isset($_POST['language'])) { if (isset($_POST['language'])) {
setcookie('lam_last_language', htmlspecialchars($_POST['language']), time() + 365*60*60*24); setcookie('lam_last_language', htmlspecialchars($_POST['language']), time() + 365*60*60*24, '/', null, null, true);
} }
// init some session variables // init some session variables
@ -166,8 +167,8 @@ function display_LoginPage($config_object, $cfgMain) {
$iv = mcrypt_create_iv(32, MCRYPT_RAND); $iv = mcrypt_create_iv(32, MCRYPT_RAND);
} }
// save both in cookie // save both in cookie
setcookie("Key", base64_encode($key), 0, "/"); setcookie("Key", base64_encode($key), 0, "/", null, null, true);
setcookie("IV", base64_encode($iv), 0, "/"); setcookie("IV", base64_encode($iv), 0, "/", null, null, true);
} }
$profiles = getConfigProfiles(); $profiles = getConfigProfiles();
@ -536,10 +537,10 @@ if(!empty($_POST['checklogin'])) {
} }
else { else {
if (isset($_POST['rememberLogin']) && ($_POST['rememberLogin'] == 'on')) { if (isset($_POST['rememberLogin']) && ($_POST['rememberLogin'] == 'on')) {
setcookie('lam_login_name', $_POST['username'], time() + 60*60*24*365); setcookie('lam_login_name', $_POST['username'], time() + 60*60*24*365, '/', null, null, true);
} }
else if (isset($_COOKIE['lam_login_name']) && ($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH)) { else if (isset($_COOKIE['lam_login_name']) && ($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH)) {
setcookie('lam_login_name', '', time() + 60*60*24*365); setcookie('lam_login_name', '', time() + 60*60*24*365, '/', null, null, true);
} }
if($_POST['passwd'] == "") { if($_POST['passwd'] == "") {
logNewMessage(LOG_DEBUG, "Empty password for login"); logNewMessage(LOG_DEBUG, "Empty password for login");

View File

@ -31,8 +31,8 @@ $Id$
// delete key and iv in cookie // delete key and iv in cookie
if (function_exists('mcrypt_create_iv')) { if (function_exists('mcrypt_create_iv')) {
setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/"); setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/"); setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
} }
/** security functions */ /** security functions */