WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

mark cookies HTTP only

This commit is contained in:
Roland Gruber 2015-12-19 09:12:47 +00:00
parent b38bc8bc8a
commit 36f054b84e
6 changed files with 17 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lam/lib/lists.inc
View File

@ -662,7 +662,7 @@ class lamList {
$cookieValue .= $this->configOptions[$i]->getID() . "=" . $this->configOptions[$i]->getValue() . ';'; $cookieValue .= $this->configOptions[$i]->getID() . "=" . $this->configOptions[$i]->getValue() . ';';
} }
// save options as cookie for one year // save options as cookie for one year
setcookie("ListOptions_" . $this->type, $cookieValue, time()+60*60*24*365, "/"); setcookie("ListOptions_" . $this->type, $cookieValue, time()+60*60*24*365, "/", null, null, true);
// notify subclasses // notify subclasses
$this->listConfigurationChanged(); $this->listConfigurationChanged();
} }

4
lam/lib/security.inc
View File

@ -157,8 +157,8 @@ function logoffAndBackToLoginPage() {
} }
// delete key and iv in cookie // delete key and iv in cookie
if (function_exists('mcrypt_create_iv')) { if (function_exists('mcrypt_create_iv')) {
setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/"); setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/"); setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
} }
// link back to login page // link back to login page
$paths = array('./', '../', '../../', '../../../', '../../../../'); $paths = array('./', '../', '../../', '../../../', '../../../../');

1
lam/templates/config/conflogin.php
View File

@ -39,6 +39,7 @@ include_once('../../lib/status.inc');
if (strtolower(session_module_name()) == 'files') { if (strtolower(session_module_name()) == 'files') {
session_save_path(dirname(__FILE__) . '/../../sess'); session_save_path(dirname(__FILE__) . '/../../sess');
} }
session_set_cookie_params(0, '/', null, null, true);
session_start(); session_start();
session_regenerate_id(true); session_regenerate_id(true);

1
lam/templates/config/mainlogin.php
View File

@ -39,6 +39,7 @@ include_once('../../lib/status.inc');
if (strtolower(session_module_name()) == 'files') { if (strtolower(session_module_name()) == 'files') {
session_save_path(dirname(__FILE__) . '/../../sess'); session_save_path(dirname(__FILE__) . '/../../sess');
} }
session_set_cookie_params(0, '/', null, null, true);
session_start(); session_start();
session_regenerate_id(true); session_regenerate_id(true);

13
lam/templates/login.php
View File

@ -54,6 +54,7 @@ if (strtolower(session_module_name()) == 'files') {
// start empty session and change ID for security reasons // start empty session and change ID for security reasons
session_start(); session_start();
session_destroy(); session_destroy();
session_set_cookie_params(0, '/', null, null, true);
session_start(); session_start();
session_regenerate_id(true); session_regenerate_id(true);
@ -62,7 +63,7 @@ $profiles = getConfigProfiles();
// save last selected login profile // save last selected login profile
if (isset($_GET['useProfile'])) { if (isset($_GET['useProfile'])) {
if (in_array($_GET['useProfile'], $profiles)) { if (in_array($_GET['useProfile'], $profiles)) {
setcookie("lam_default_profile", $_GET['useProfile'], time() + 365*60*60*24); setcookie("lam_default_profile", $_GET['useProfile'], time() + 365*60*60*24, '/', null, null, true);
} }
else { else {
unset($_GET['useProfile']); unset($_GET['useProfile']);
@ -71,7 +72,7 @@ if (isset($_GET['useProfile'])) {
// save last selected language // save last selected language
if (isset($_POST['language'])) { if (isset($_POST['language'])) {
setcookie('lam_last_language', htmlspecialchars($_POST['language']), time() + 365*60*60*24); setcookie('lam_last_language', htmlspecialchars($_POST['language']), time() + 365*60*60*24, '/', null, null, true);
} }
// init some session variables // init some session variables
@ -166,8 +167,8 @@ function display_LoginPage($config_object, $cfgMain) {
$iv = mcrypt_create_iv(32, MCRYPT_RAND); $iv = mcrypt_create_iv(32, MCRYPT_RAND);
} }
// save both in cookie // save both in cookie
setcookie("Key", base64_encode($key), 0, "/"); setcookie("Key", base64_encode($key), 0, "/", null, null, true);
setcookie("IV", base64_encode($iv), 0, "/"); setcookie("IV", base64_encode($iv), 0, "/", null, null, true);
} }
$profiles = getConfigProfiles(); $profiles = getConfigProfiles();
@ -536,10 +537,10 @@ if(!empty($_POST['checklogin'])) {
} }
else { else {
if (isset($_POST['rememberLogin']) && ($_POST['rememberLogin'] == 'on')) { if (isset($_POST['rememberLogin']) && ($_POST['rememberLogin'] == 'on')) {
setcookie('lam_login_name', $_POST['username'], time() + 60*60*24*365); setcookie('lam_login_name', $_POST['username'], time() + 60*60*24*365, '/', null, null, true);
} }
else if (isset($_COOKIE['lam_login_name']) && ($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH)) { else if (isset($_COOKIE['lam_login_name']) && ($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH)) {
setcookie('lam_login_name', '', time() + 60*60*24*365); setcookie('lam_login_name', '', time() + 60*60*24*365, '/', null, null, true);
} }
if($_POST['passwd'] == "") { if($_POST['passwd'] == "") {
logNewMessage(LOG_DEBUG, "Empty password for login"); logNewMessage(LOG_DEBUG, "Empty password for login");

10
lam/templates/logout.php
View File

@ -9,12 +9,12 @@ $Id$
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or the Free Software Foundation; either version 2 of the License, or
(at your option) any later version. (at your option) any later version.
This program is distributed in the hope that it will be useful, This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details. GNU General Public License for more details.
You should have received a copy of the GNU General Public License You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
@ -26,13 +26,13 @@ $Id$
* *
* @package main * @package main
* @author Roland Gruber * @author Roland Gruber
*/ */
// delete key and iv in cookie // delete key and iv in cookie
if (function_exists('mcrypt_create_iv')) { if (function_exists('mcrypt_create_iv')) {
setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/"); setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/"); setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
} }
/** security functions */ /** security functions */