On Thu, 11 Aug 2011 18:06:01 +0200, Lukas Fleischer wrote:
As discussed on the mailing list, enable "secure" and "httponly" for session cookies to prevent them from being transferred over insecure connections.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- web/lib/acctfuncs.inc.php | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index b2f0548..b26d0cf 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -592,6 +592,7 @@ function display_account_info($U="", $T="", $E="", $R="", $I="") { */ function try_login() { global $MAX_SESSIONS_PER_USER, $PERSISTENT_COOKIE_TIMEOUT; + global $DISABLE_HTTP_LOGIN;
$login_error = ""; $new_sid = ""; @@ -658,7 +659,12 @@ function try_login() { else $cookie_time = 0;
- setcookie("AURSID", $new_sid, $cookie_time, "/"); + if ($DISABLE_HTTP_LOGIN) { + setcookie("AURSID", $new_sid, $cookie_time, "/", "", true, true); + } + else { + setcookie("AURSID", $new_sid, $cookie_time, "/"); + } header("Location: " . $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']); $login_error = "";
You could also allways use a secure cookie when https is used. E.g. see my patch for flyspray: http://projects.archlinux.org/vhosts/bugs.archlinux.org.git/commit/?id=2abba... -- Pierre Schmitz, https://users.archlinux.de/~pierre