[aur-dev] [PATCH 2/2] Use secure and httponly session cookies
Pierre Schmitz
pierre at archlinux.de
Thu Aug 11 17:43:01 EDT 2011
On Thu, 11 Aug 2011 18:06:01 +0200, Lukas Fleischer wrote:
> As discussed on the mailing list, enable "secure" and "httponly" for
> session cookies to prevent them from being transferred over insecure
> connections.
>
> Signed-off-by: Lukas Fleischer <archlinux at cryptocrack.de>
> ---
> web/lib/acctfuncs.inc.php | 8 +++++++-
> 1 files changed, 7 insertions(+), 1 deletions(-)
>
> diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
> index b2f0548..b26d0cf 100644
> --- a/web/lib/acctfuncs.inc.php
> +++ b/web/lib/acctfuncs.inc.php
> @@ -592,6 +592,7 @@ function display_account_info($U="", $T="",
> $E="", $R="", $I="") {
> */
> function try_login() {
> global $MAX_SESSIONS_PER_USER, $PERSISTENT_COOKIE_TIMEOUT;
> + global $DISABLE_HTTP_LOGIN;
>
> $login_error = "";
> $new_sid = "";
> @@ -658,7 +659,12 @@ function try_login() {
> else
> $cookie_time = 0;
>
> - setcookie("AURSID", $new_sid, $cookie_time, "/");
> + if ($DISABLE_HTTP_LOGIN) {
> + setcookie("AURSID", $new_sid, $cookie_time, "/", "", true, true);
> + }
> + else {
> + setcookie("AURSID", $new_sid, $cookie_time, "/");
> + }
> header("Location: " .
> $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']);
> $login_error = "";
You could also allways use a secure cookie when https is used. E.g. see
my patch for flyspray:
http://projects.archlinux.org/vhosts/bugs.archlinux.org.git/commit/?id=2abba00465f99a63b10f9bb9a403e359c12b56cb
--
Pierre Schmitz, https://users.archlinux.de/~pierre
More information about the aur-dev
mailing list