As discussed on the mailing list, enable "secure" and "httponly" for session cookies to prevent them from being transferred over insecure connections. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- As Pierre suggested, always enable "secure" if HTTPs is used. This is slightly better as it ensures cookies from a HTTPs login never get transferred in plain text, even if HTTP login is still enabled. web/html/logout.php | 2 +- web/lib/acctfuncs.inc.php | 2 +- web/lib/aur.inc.php | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/web/html/logout.php b/web/html/logout.php index dee6456..1cdf453 100644 --- a/web/html/logout.php +++ b/web/html/logout.php @@ -15,7 +15,7 @@ if (isset($_COOKIE["AURSID"])) { $q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'"; db_query($q, $dbh); # setting expiration to 1 means '1 second after midnight January 1, 1970' - setcookie("AURSID", "", 1, "/"); + setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true); unset($_COOKIE['AURSID']); } diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index b2f0548..97fb69b 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -658,7 +658,7 @@ function try_login() { else $cookie_time = 0; - setcookie("AURSID", $new_sid, $cookie_time, "/"); + setcookie("AURSID", $new_sid, $cookie_time, "/", null, !empty($_SERVER['HTTPS']), true); header("Location: " . $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']); $login_error = ""; diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 474ebee..f432697 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -47,7 +47,7 @@ function check_sid($dbh=NULL) { # clear out the hacker's cookie, and send them to a naughty page # why do you have to be so harsh on these people!? # - setcookie("AURSID", "", 1, "/"); + setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true); unset($_COOKIE['AURSID']); } elseif ($failed == 2) { # session id timeout was reached and they must login again. @@ -56,7 +56,7 @@ function check_sid($dbh=NULL) { $q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'"; db_query($q, $dbh); - setcookie("AURSID", "", 1, "/"); + setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true); unset($_COOKIE['AURSID']); } else { # still logged in and haven't reached the timeout, go ahead -- 1.7.6