[aur-dev] [PATCH 2/2] Use secure and httponly session cookies
Lukas Fleischer
archlinux at cryptocrack.de
Thu Aug 11 12:06:01 EDT 2011
As discussed on the mailing list, enable "secure" and "httponly" for
session cookies to prevent them from being transferred over insecure
connections.
Signed-off-by: Lukas Fleischer <archlinux at cryptocrack.de>
---
web/lib/acctfuncs.inc.php | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index b2f0548..b26d0cf 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -592,6 +592,7 @@ function display_account_info($U="", $T="", $E="", $R="", $I="") {
*/
function try_login() {
global $MAX_SESSIONS_PER_USER, $PERSISTENT_COOKIE_TIMEOUT;
+ global $DISABLE_HTTP_LOGIN;
$login_error = "";
$new_sid = "";
@@ -658,7 +659,12 @@ function try_login() {
else
$cookie_time = 0;
- setcookie("AURSID", $new_sid, $cookie_time, "/");
+ if ($DISABLE_HTTP_LOGIN) {
+ setcookie("AURSID", $new_sid, $cookie_time, "/", "", true, true);
+ }
+ else {
+ setcookie("AURSID", $new_sid, $cookie_time, "/");
+ }
header("Location: " . $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']);
$login_error = "";
--
1.7.6
More information about the aur-dev
mailing list