From eb99b37ddb616fc39c0d3728f3958a2f7b828c9f Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Sat, 10 Mar 2018 18:48:11 +0100
Subject: [PATCH] set secure flag for session cookie

---
 lam/lib/security.inc                            | 17 ++++++++++++++---
 lam/templates/config/conflogin.php              |  5 ++---
 lam/templates/config/confmain.php               |  2 +-
 lam/templates/config/confmodules.php            |  4 ++--
 lam/templates/config/confsave.php               |  4 ++--
 lam/templates/config/conftypes.php              |  2 +-
 lam/templates/config/index.php                  |  5 ++---
 lam/templates/config/mainlogin.php              |  6 ++----
 lam/templates/config/mainmanage.php             |  2 +-
 lam/templates/config/moduleSettings.php         |  5 ++---
 lam/templates/config/profmanage.php             |  5 ++---
 lam/templates/help.php                          |  5 ++---
 .../lib/141_jquery-validationEngine-lang.php    |  5 ++---
 lam/templates/login.php                         |  5 ++---
 14 files changed, 37 insertions(+), 35 deletions(-)

diff --git a/lam/lib/security.inc b/lam/lib/security.inc
index 6c16138f..1249ef5e 100644
--- a/lam/lib/security.inc
+++ b/lam/lib/security.inc
@@ -1,9 +1,8 @@
 <?php
 /*
-$Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2006 - 2016  Roland Gruber
+  Copyright (C) 2006 - 2018  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -40,6 +39,18 @@ checkClientIP();
 
 setLAMHeaders();
 
+/**
+ * Starts a session and sets the cookie options.
+ */
+function lam_start_session() {
+	$secureFlag = false;
+	if (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) === 'on') {
+		$secureFlag = true;
+	}
+	session_set_cookie_params(0, '/', null, $secureFlag, true);
+	session_start();
+}
+
 /**
  * Starts a session and checks the environment.
  * The script is stopped if one of the checks fail (timeout redirection may be overriden).
@@ -59,7 +70,7 @@ function startSecureSession($redirectToLogin = true, $initSecureData = false) {
 			@ini_set("session.gc_probability", 1);
 		}
 	}
-	@session_start();
+	lam_start_session();
 	// init secure data if needed
 	if ($initSecureData && !isset($_SESSION["sec_session_id"])) {
 		$_SESSION["sec_session_id"] = session_id();
diff --git a/lam/templates/config/conflogin.php b/lam/templates/config/conflogin.php
index 4363a9ea..7b03532e 100644
--- a/lam/templates/config/conflogin.php
+++ b/lam/templates/config/conflogin.php
@@ -12,7 +12,7 @@ use \htmlResponsiveInputField;
 use \htmlHorizontalLine;
 /*
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2017  Roland Gruber
+  Copyright (C) 2003 - 2018  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -48,8 +48,7 @@ include_once('../../lib/status.inc');
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path(dirname(__FILE__) . '/../../sess');
 }
-session_set_cookie_params(0, '/', null, null, true);
-session_start();
+lam_start_session();
 session_regenerate_id(true);
 
 setlanguage();
diff --git a/lam/templates/config/confmain.php b/lam/templates/config/confmain.php
index a34ef26c..fc702f89 100644
--- a/lam/templates/config/confmain.php
+++ b/lam/templates/config/confmain.php
@@ -65,7 +65,7 @@ include_once '../../lib/configPages.inc';
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path("../../sess");
 }
-@session_start();
+lam_start_session();
 
 setlanguage();
 
diff --git a/lam/templates/config/confmodules.php b/lam/templates/config/confmodules.php
index e510d355..fa1c4d7a 100644
--- a/lam/templates/config/confmodules.php
+++ b/lam/templates/config/confmodules.php
@@ -15,7 +15,7 @@ use \htmlResponsiveRow;
 use \htmlGroup;
 /*
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2004 - 2017  Roland Gruber
+  Copyright (C) 2004 - 2018  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -53,7 +53,7 @@ include_once '../../lib/configPages.inc';
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path("../../sess");
 }
-@session_start();
+lam_start_session();
 
 setlanguage();
 
diff --git a/lam/templates/config/confsave.php b/lam/templates/config/confsave.php
index fde96ad3..85d2eb75 100644
--- a/lam/templates/config/confsave.php
+++ b/lam/templates/config/confsave.php
@@ -6,7 +6,7 @@ use \htmlStatusMessage;
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2009 - 2017  Roland Gruber
+  Copyright (C) 2009 - 2018  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -43,7 +43,7 @@ include_once("../../lib/modules.inc");
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path("../../sess");
 }
-@session_start();
+lam_start_session();
 
 setlanguage();
 
diff --git a/lam/templates/config/conftypes.php b/lam/templates/config/conftypes.php
index 958965b0..ccc4d341 100644
--- a/lam/templates/config/conftypes.php
+++ b/lam/templates/config/conftypes.php
@@ -51,7 +51,7 @@ include_once '../../lib/configPages.inc';
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path("../../sess");
 }
-@session_start();
+lam_start_session();
 
 setlanguage();
 
diff --git a/lam/templates/config/index.php b/lam/templates/config/index.php
index 9f373f35..ae649ba3 100644
--- a/lam/templates/config/index.php
+++ b/lam/templates/config/index.php
@@ -1,9 +1,8 @@
 <?php
 /*
-$Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2017  Roland Gruber
+  Copyright (C) 2003 - 2018  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -37,7 +36,7 @@ include_once('../../lib/config.inc');
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path("../../sess");
 }
-@session_start();
+lam_start_session();
 
 setlanguage();
 
diff --git a/lam/templates/config/mainlogin.php b/lam/templates/config/mainlogin.php
index d3a43899..ea575ccb 100644
--- a/lam/templates/config/mainlogin.php
+++ b/lam/templates/config/mainlogin.php
@@ -1,9 +1,8 @@
 <?php
 /*
-$Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2017  Roland Gruber
+  Copyright (C) 2003 - 2018  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -42,8 +41,7 @@ if (isLAMProVersion()) {
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path(dirname(__FILE__) . '/../../sess');
 }
-session_set_cookie_params(0, '/', null, null, true);
-session_start();
+lam_start_session();
 session_regenerate_id(true);
 
 setlanguage();
diff --git a/lam/templates/config/mainmanage.php b/lam/templates/config/mainmanage.php
index 12f1ef28..cd8d9a42 100644
--- a/lam/templates/config/mainmanage.php
+++ b/lam/templates/config/mainmanage.php
@@ -63,7 +63,7 @@ include_once('../../lib/selfService.inc');
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path("../../sess");
 }
-@session_start();
+lam_start_session();
 
 setlanguage();
 
diff --git a/lam/templates/config/moduleSettings.php b/lam/templates/config/moduleSettings.php
index 11079615..bf17e44b 100644
--- a/lam/templates/config/moduleSettings.php
+++ b/lam/templates/config/moduleSettings.php
@@ -7,10 +7,9 @@ use \htmlButton;
 use \htmlResponsiveRow;
 use \htmlSubTitle;
 /*
-$Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2009 - 2017  Roland Gruber
+  Copyright (C) 2009 - 2018  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -48,7 +47,7 @@ include_once '../../lib/configPages.inc';
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path("../../sess");
 }
-@session_start();
+lam_start_session();
 
 setlanguage();
 
diff --git a/lam/templates/config/profmanage.php b/lam/templates/config/profmanage.php
index 08ace0af..3c36d43b 100644
--- a/lam/templates/config/profmanage.php
+++ b/lam/templates/config/profmanage.php
@@ -14,10 +14,9 @@ use \htmlHiddenInput;
 use \htmlDiv;
 use \htmlLink;
 /*
-$Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2017  Roland Gruber
+  Copyright (C) 2003 - 2018  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -53,7 +52,7 @@ include_once('../../lib/status.inc');
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path("../../sess");
 }
-@session_start();
+lam_start_session();
 
 setlanguage();
 
diff --git a/lam/templates/help.php b/lam/templates/help.php
index 4ed278cb..9a968d6b 100644
--- a/lam/templates/help.php
+++ b/lam/templates/help.php
@@ -1,11 +1,10 @@
 <?php
 namespace LAM\HELP;
 /*
-$Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
   Copyright (C) 2003 - 2006  Michael Duergner
-                2008 - 2017  Roland Gruber
+                2008 - 2018  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -48,7 +47,7 @@ if (!empty($_GET['selfService']) && ($_GET['selfService'] === '1')) {
 if (strtolower(session_module_name()) == 'files') {
 	session_save_path("../sess");
 }
-session_start();
+lam_start_session();
 
 /** status messages */
 include_once("../lib/status.inc");
diff --git a/lam/templates/lib/141_jquery-validationEngine-lang.php b/lam/templates/lib/141_jquery-validationEngine-lang.php
index e823deb1..29fe6142 100644
--- a/lam/templates/lib/141_jquery-validationEngine-lang.php
+++ b/lam/templates/lib/141_jquery-validationEngine-lang.php
@@ -1,10 +1,9 @@
 <?php
 /*
-$Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
   Copyright (C) 2010         Cedric Dugas and Olivier Refalo
-                2011 - 2016  Roland Gruber
+                2011 - 2018  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -34,7 +33,7 @@ if (!headers_sent()) {
 	header('Content-Type: application/json; charset=utf-8');
 }
 
-@session_start();
+@lam_start_session();
 setlanguage();
 
 ?>
diff --git a/lam/templates/login.php b/lam/templates/login.php
index dfebfa44..3b07fc67 100644
--- a/lam/templates/login.php
+++ b/lam/templates/login.php
@@ -72,10 +72,9 @@ if (strtolower(session_module_name()) == 'files') {
 }
 
 // start empty session and change ID for security reasons
-session_start();
+lam_start_session();
 session_destroy();
-session_set_cookie_params(0, '/', null, null, true);
-session_start();
+lam_start_session();
 session_regenerate_id(true);
 
 $profiles = getConfigProfiles();