WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

set secure flag for session cookie

This commit is contained in:
Roland Gruber 2018-03-10 18:48:11 +01:00
parent 0181bed466
commit eb99b37ddb
14 changed files with 37 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lam/lib/security.inc
View File

@ -1,9 +1,8 @@
<?php <?php
/* /*
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2006 - 2016 Roland Gruber Copyright (C) 2006 - 2018 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -40,6 +39,18 @@ checkClientIP();
setLAMHeaders(); setLAMHeaders();
/**
* Starts a session and sets the cookie options.
*/
function lam_start_session() {
$secureFlag = false;
if (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) === 'on') {
$secureFlag = true;
}
session_set_cookie_params(0, '/', null, $secureFlag, true);
session_start();
}
/** /**
* Starts a session and checks the environment. * Starts a session and checks the environment.
* The script is stopped if one of the checks fail (timeout redirection may be overriden). * The script is stopped if one of the checks fail (timeout redirection may be overriden).
@ -59,7 +70,7 @@ function startSecureSession($redirectToLogin = true, $initSecureData = false) {
@ini_set("session.gc_probability", 1); @ini_set("session.gc_probability", 1);
} }
} }
@session_start(); lam_start_session();
// init secure data if needed // init secure data if needed
if ($initSecureData && !isset($_SESSION["sec_session_id"])) { if ($initSecureData && !isset($_SESSION["sec_session_id"])) {
$_SESSION["sec_session_id"] = session_id(); $_SESSION["sec_session_id"] = session_id();

5
lam/templates/config/conflogin.php
View File

@ -12,7 +12,7 @@ use \htmlResponsiveInputField;
use \htmlHorizontalLine; use \htmlHorizontalLine;
/* /*
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2017 Roland Gruber Copyright (C) 2003 - 2018 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -48,8 +48,7 @@ include_once('../../lib/status.inc');
if (strtolower(session_module_name()) == 'files') { if (strtolower(session_module_name()) == 'files') {
session_save_path(dirname(__FILE__) . '/../../sess'); session_save_path(dirname(__FILE__) . '/../../sess');
} }
session_set_cookie_params(0, '/', null, null, true); lam_start_session();
session_start();
session_regenerate_id(true); session_regenerate_id(true);
setlanguage(); setlanguage();

2
lam/templates/config/confmain.php
View File

@ -65,7 +65,7 @@ include_once '../../lib/configPages.inc';
if (strtolower(session_module_name()) == 'files') { if (strtolower(session_module_name()) == 'files') {
session_save_path("../../sess"); session_save_path("../../sess");
} }
@session_start(); lam_start_session();
setlanguage(); setlanguage();

4
lam/templates/config/confmodules.php
View File

@ -15,7 +15,7 @@ use \htmlResponsiveRow;
use \htmlGroup; use \htmlGroup;
/* /*
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2004 - 2017 Roland Gruber Copyright (C) 2004 - 2018 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -53,7 +53,7 @@ include_once '../../lib/configPages.inc';
if (strtolower(session_module_name()) == 'files') { if (strtolower(session_module_name()) == 'files') {
session_save_path("../../sess"); session_save_path("../../sess");
} }
@session_start(); lam_start_session();
setlanguage(); setlanguage();

4
lam/templates/config/confsave.php
View File

@ -6,7 +6,7 @@ use \htmlStatusMessage;
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2009 - 2017 Roland Gruber Copyright (C) 2009 - 2018 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -43,7 +43,7 @@ include_once("../../lib/modules.inc");
if (strtolower(session_module_name()) == 'files') { if (strtolower(session_module_name()) == 'files') {
session_save_path("../../sess"); session_save_path("../../sess");
} }
@session_start(); lam_start_session();
setlanguage(); setlanguage();

2
lam/templates/config/conftypes.php
View File

@ -51,7 +51,7 @@ include_once '../../lib/configPages.inc';
if (strtolower(session_module_name()) == 'files') { if (strtolower(session_module_name()) == 'files') {
session_save_path("../../sess"); session_save_path("../../sess");
} }
@session_start(); lam_start_session();
setlanguage(); setlanguage();

5
lam/templates/config/index.php
View File

@ -1,9 +1,8 @@
<?php <?php
/* /*
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2017 Roland Gruber Copyright (C) 2003 - 2018 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -37,7 +36,7 @@ include_once('../../lib/config.inc');
if (strtolower(session_module_name()) == 'files') { if (strtolower(session_module_name()) == 'files') {
session_save_path("../../sess"); session_save_path("../../sess");
} }
@session_start(); lam_start_session();
setlanguage(); setlanguage();

6
lam/templates/config/mainlogin.php
View File

@ -1,9 +1,8 @@
<?php <?php
/* /*
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2017 Roland Gruber Copyright (C) 2003 - 2018 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -42,8 +41,7 @@ if (isLAMProVersion()) {
if (strtolower(session_module_name()) == 'files') { if (strtolower(session_module_name()) == 'files') {
session_save_path(dirname(__FILE__) . '/../../sess'); session_save_path(dirname(__FILE__) . '/../../sess');
} }
session_set_cookie_params(0, '/', null, null, true); lam_start_session();
session_start();
session_regenerate_id(true); session_regenerate_id(true);
setlanguage(); setlanguage();

2
lam/templates/config/mainmanage.php
View File

@ -63,7 +63,7 @@ include_once('../../lib/selfService.inc');
if (strtolower(session_module_name()) == 'files') { if (strtolower(session_module_name()) == 'files') {
session_save_path("../../sess"); session_save_path("../../sess");
} }
@session_start(); lam_start_session();
setlanguage(); setlanguage();

5
lam/templates/config/moduleSettings.php
View File

@ -7,10 +7,9 @@ use \htmlButton;
use \htmlResponsiveRow; use \htmlResponsiveRow;
use \htmlSubTitle; use \htmlSubTitle;
/* /*
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2009 - 2017 Roland Gruber Copyright (C) 2009 - 2018 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -48,7 +47,7 @@ include_once '../../lib/configPages.inc';
if (strtolower(session_module_name()) == 'files') { if (strtolower(session_module_name()) == 'files') {
session_save_path("../../sess"); session_save_path("../../sess");
} }
@session_start(); lam_start_session();
setlanguage(); setlanguage();

5
lam/templates/config/profmanage.php
View File

@ -14,10 +14,9 @@ use \htmlHiddenInput;
use \htmlDiv; use \htmlDiv;
use \htmlLink; use \htmlLink;
/* /*
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2017 Roland Gruber Copyright (C) 2003 - 2018 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -53,7 +52,7 @@ include_once('../../lib/status.inc');
if (strtolower(session_module_name()) == 'files') { if (strtolower(session_module_name()) == 'files') {
session_save_path("../../sess"); session_save_path("../../sess");
} }
@session_start(); lam_start_session();
setlanguage(); setlanguage();

5
lam/templates/help.php
View File

@ -1,11 +1,10 @@
<?php <?php
namespace LAM\HELP; namespace LAM\HELP;
/* /*
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2006 Michael Duergner Copyright (C) 2003 - 2006 Michael Duergner
2008 - 2017 Roland Gruber 2008 - 2018 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -48,7 +47,7 @@ if (!empty($_GET['selfService']) && ($_GET['selfService'] === '1')) {
if (strtolower(session_module_name()) == 'files') { if (strtolower(session_module_name()) == 'files') {
session_save_path("../sess"); session_save_path("../sess");
} }
session_start(); lam_start_session();
/** status messages */ /** status messages */
include_once("../lib/status.inc"); include_once("../lib/status.inc");

5
lam/templates/lib/141_jquery-validationEngine-lang.php
View File

@ -1,10 +1,9 @@
<?php <?php
/* /*
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2010 Cedric Dugas and Olivier Refalo Copyright (C) 2010 Cedric Dugas and Olivier Refalo
2011 - 2016 Roland Gruber 2011 - 2018 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -34,7 +33,7 @@ if (!headers_sent()) {
header('Content-Type: application/json; charset=utf-8'); header('Content-Type: application/json; charset=utf-8');
} }
@session_start(); @lam_start_session();
setlanguage(); setlanguage();
?> ?>

5
lam/templates/login.php
View File

@ -72,10 +72,9 @@ if (strtolower(session_module_name()) == 'files') {
} }
// start empty session and change ID for security reasons // start empty session and change ID for security reasons
session_start(); lam_start_session();
session_destroy(); session_destroy();
session_set_cookie_params(0, '/', null, null, true); lam_start_session();
session_start();
session_regenerate_id(true); session_regenerate_id(true);
$profiles = getConfigProfiles(); $profiles = getConfigProfiles();