[aur-dev] [PATCH v2] Use secure and httponly session cookies
Lukas Fleischer
archlinux at cryptocrack.de
Thu Aug 11 18:12:14 EDT 2011
As discussed on the mailing list, enable "secure" and "httponly" for
session cookies to prevent them from being transferred over insecure
connections.
Signed-off-by: Lukas Fleischer <archlinux at cryptocrack.de>
---
As Pierre suggested, always enable "secure" if HTTPs is used. This is
slightly better as it ensures cookies from a HTTPs login never get
transferred in plain text, even if HTTP login is still enabled.
web/html/logout.php | 2 +-
web/lib/acctfuncs.inc.php | 2 +-
web/lib/aur.inc.php | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/web/html/logout.php b/web/html/logout.php
index dee6456..1cdf453 100644
--- a/web/html/logout.php
+++ b/web/html/logout.php
@@ -15,7 +15,7 @@ if (isset($_COOKIE["AURSID"])) {
$q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
db_query($q, $dbh);
# setting expiration to 1 means '1 second after midnight January 1, 1970'
- setcookie("AURSID", "", 1, "/");
+ setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true);
unset($_COOKIE['AURSID']);
}
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index b2f0548..97fb69b 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -658,7 +658,7 @@ function try_login() {
else
$cookie_time = 0;
- setcookie("AURSID", $new_sid, $cookie_time, "/");
+ setcookie("AURSID", $new_sid, $cookie_time, "/", null, !empty($_SERVER['HTTPS']), true);
header("Location: " . $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']);
$login_error = "";
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index 474ebee..f432697 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -47,7 +47,7 @@ function check_sid($dbh=NULL) {
# clear out the hacker's cookie, and send them to a naughty page
# why do you have to be so harsh on these people!?
#
- setcookie("AURSID", "", 1, "/");
+ setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true);
unset($_COOKIE['AURSID']);
} elseif ($failed == 2) {
# session id timeout was reached and they must login again.
@@ -56,7 +56,7 @@ function check_sid($dbh=NULL) {
$q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
db_query($q, $dbh);
- setcookie("AURSID", "", 1, "/");
+ setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true);
unset($_COOKIE['AURSID']);
} else {
# still logged in and haven't reached the timeout, go ahead
--
1.7.6
More information about the aur-dev
mailing list