As discussed on the mailing list, enable "secure" and "httponly" for session cookies to prevent them from being transferred over insecure connections. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- web/lib/acctfuncs.inc.php | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index b2f0548..b26d0cf 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -592,6 +592,7 @@ function display_account_info($U="", $T="", $E="", $R="", $I="") { */ function try_login() { global $MAX_SESSIONS_PER_USER, $PERSISTENT_COOKIE_TIMEOUT; + global $DISABLE_HTTP_LOGIN; $login_error = ""; $new_sid = ""; @@ -658,7 +659,12 @@ function try_login() { else $cookie_time = 0; - setcookie("AURSID", $new_sid, $cookie_time, "/"); + if ($DISABLE_HTTP_LOGIN) { + setcookie("AURSID", $new_sid, $cookie_time, "/", "", true, true); + } + else { + setcookie("AURSID", $new_sid, $cookie_time, "/"); + } header("Location: " . $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']); $login_error = ""; -- 1.7.6