set secure flag for session cookie

2018-03-10 18:48:11 +01:00 · 2018-03-10 18:48:11 +01:00 · eb99b37ddb
parent 0181bed466
commit eb99b37ddb
14 changed files with 37 additions and 35 deletions
--- a/lam/lib/security.inc
+++ b/lam/lib/security.inc
@ -1,9 +1,8 @@
 <?php
 /*
-$Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2006 - 2016  Roland Gruber
+  Copyright (C) 2006 - 2018  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -40,6 +39,18 @@ checkClientIP();

 setLAMHeaders();

+/**
+ * Starts a session and sets the cookie options.
+ */
+function lam_start_session() {
+	$secureFlag = false;
+	if (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) === 'on') {
+		$secureFlag = true;
+	}
+	session_set_cookie_params(0, '/', null, $secureFlag, true);
+	session_start();
+}
+
 /**
 * Starts a session and checks the environment.
 * The script is stopped if one of the checks fail (timeout redirection may be overriden).
@ -59,7 +70,7 @@ function startSecureSession($redirectToLogin = true, $initSecureData = false) {
 			@ini_set("session.gc_probability", 1);
 		}
 	}
-	@session_start();
+	lam_start_session();
 	// init secure data if needed
 	if ($initSecureData && !isset($_SESSION["sec_session_id"])) {
 		$_SESSION["sec_session_id"] = session_id();
--- a/lam/templates/config/conflogin.php
+++ b/lam/templates/config/conflogin.php
@ -12,7 +12,7 @@ use \htmlResponsiveInputField;
 use \htmlHorizontalLine;
 /*
  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2017  Roland Gruber
+  Copyright (C) 2003 - 2018  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -48,8 +48,7 @@ include_once('../../lib/status.inc');
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path(dirname(__FILE__) . '/../../sess');
 }
-session_set_cookie_params(0, '/', null, null, true);
-session_start();
+lam_start_session();
 session_regenerate_id(true);

 setlanguage();
--- a/lam/templates/config/confmain.php
+++ b/lam/templates/config/confmain.php
@ -65,7 +65,7 @@ include_once '../../lib/configPages.inc';
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path("../../sess");
 }
-@session_start();
+lam_start_session();

 setlanguage();

--- a/lam/templates/config/confmodules.php
+++ b/lam/templates/config/confmodules.php
@ -15,7 +15,7 @@ use \htmlResponsiveRow;
 use \htmlGroup;
 /*
  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2004 - 2017  Roland Gruber
+  Copyright (C) 2004 - 2018  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -53,7 +53,7 @@ include_once '../../lib/configPages.inc';
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path("../../sess");
 }
-@session_start();
+lam_start_session();

 setlanguage();

--- a/lam/templates/config/confsave.php
+++ b/lam/templates/config/confsave.php
@ -6,7 +6,7 @@ use \htmlStatusMessage;
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2009 - 2017  Roland Gruber
+  Copyright (C) 2009 - 2018  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -43,7 +43,7 @@ include_once("../../lib/modules.inc");
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path("../../sess");
 }
-@session_start();
+lam_start_session();

 setlanguage();

--- a/lam/templates/config/conftypes.php
+++ b/lam/templates/config/conftypes.php
@ -51,7 +51,7 @@ include_once '../../lib/configPages.inc';
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path("../../sess");
 }
-@session_start();
+lam_start_session();

 setlanguage();

--- a/lam/templates/config/index.php
+++ b/lam/templates/config/index.php
@ -1,9 +1,8 @@
 <?php
 /*
-$Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2017  Roland Gruber
+  Copyright (C) 2003 - 2018  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -37,7 +36,7 @@ include_once('../../lib/config.inc');
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path("../../sess");
 }
-@session_start();
+lam_start_session();

 setlanguage();

--- a/lam/templates/config/mainlogin.php
+++ b/lam/templates/config/mainlogin.php
@ -1,9 +1,8 @@
 <?php
 /*
-$Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2017  Roland Gruber
+  Copyright (C) 2003 - 2018  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -42,8 +41,7 @@ if (isLAMProVersion()) {
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path(dirname(__FILE__) . '/../../sess');
 }
-session_set_cookie_params(0, '/', null, null, true);
-session_start();
+lam_start_session();
 session_regenerate_id(true);

 setlanguage();
--- a/lam/templates/config/mainmanage.php
+++ b/lam/templates/config/mainmanage.php
@ -63,7 +63,7 @@ include_once('../../lib/selfService.inc');
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path("../../sess");
 }
-@session_start();
+lam_start_session();

 setlanguage();

--- a/lam/templates/config/moduleSettings.php
+++ b/lam/templates/config/moduleSettings.php
@ -7,10 +7,9 @@ use \htmlButton;
 use \htmlResponsiveRow;
 use \htmlSubTitle;
 /*
-$Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2009 - 2017  Roland Gruber
+  Copyright (C) 2009 - 2018  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -48,7 +47,7 @@ include_once '../../lib/configPages.inc';
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path("../../sess");
 }
-@session_start();
+lam_start_session();

 setlanguage();

--- a/lam/templates/config/profmanage.php
+++ b/lam/templates/config/profmanage.php
@ -14,10 +14,9 @@ use \htmlHiddenInput;
 use \htmlDiv;
 use \htmlLink;
 /*
-$Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2017  Roland Gruber
+  Copyright (C) 2003 - 2018  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -53,7 +52,7 @@ include_once('../../lib/status.inc');
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path("../../sess");
 }
-@session_start();
+lam_start_session();

 setlanguage();

--- a/lam/templates/help.php
+++ b/lam/templates/help.php
@ -1,11 +1,10 @@
 <?php
 namespace LAM\HELP;
 /*
-$Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
  Copyright (C) 2003 - 2006  Michael Duergner
-                2008 - 2017  Roland Gruber
+                2008 - 2018  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -48,7 +47,7 @@ if (!empty($_GET['selfService']) && ($_GET['selfService'] === '1')) {
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path("../sess");
 }
-session_start();
+lam_start_session();

 /** status messages */
 include_once("../lib/status.inc");
--- a/lam/templates/lib/141_jquery-validationEngine-lang.php
+++ b/lam/templates/lib/141_jquery-validationEngine-lang.php
@ -1,10 +1,9 @@
 <?php
 /*
-$Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
  Copyright (C) 2010         Cedric Dugas and Olivier Refalo
-                2011 - 2016  Roland Gruber
+                2011 - 2018  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -34,7 +33,7 @@ if (!headers_sent()) {
 	header('Content-Type: application/json; charset=utf-8');
 }

-@session_start();
+@lam_start_session();
 setlanguage();

 ?>
--- a/lam/templates/login.php
+++ b/lam/templates/login.php
@ -72,10 +72,9 @@ if (strtolower(session_module_name()) == 'files') {
 }

 // start empty session and change ID for security reasons
-session_start();
+lam_start_session();
 session_destroy();
-session_set_cookie_params(0, '/', null, null, true);
-session_start();
+lam_start_session();
 session_regenerate_id(true);

 $profiles = getConfigProfiles();