[mms] Only store keys in cookie if cookies are in use (Bug #13284; th…

…omas.jarosch@intra2net.com).
horde · Jun 24, 2014 · 6c50180 · 6c50180
1 parent 9f02bf8
commit 6c50180
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 11 deletions.
diff --git a/framework/Secret/lib/Horde/Secret.php b/framework/Secret/lib/Horde/Secret.php
@@ -124,7 +124,7 @@ protected function _getCipherOb($key)
 
     /**
      * Generate a secret key (for encryption), either using a random
-     * md5 string and storing it in a cookie if the user has cookies
+     * string and storing it in a cookie if the user has cookies
      * enabled, or munging some known values if they don't.
      *
      * @param string $keyname  The name of the key to set.
@@ -133,23 +133,17 @@ protected function _getCipherOb($key)
      */
     public function setKey($keyname = self::DEFAULT_KEY)
     {
-        $set = true;
-
         if (isset($_COOKIE[$this->_params['session_name']])) {
             if (isset($_COOKIE[$keyname . '_key'])) {
                 $key = $_COOKIE[$keyname . '_key'];
-                $set = false;
             } else {
                 $key = $_COOKIE[$keyname . '_key'] = strval(new Horde_Support_Randomid());
+                $this->_setCookie($keyname, $key);
             }
         } else {
             $key = session_id();
         }
 
-        if ($set) {
-            $this->_setCookie($keyname, $key);
-        }
-
         return $key;
     }
 
@@ -187,9 +181,13 @@ public function getKey($keyname = self::DEFAULT_KEY)
      */
     public function clearKey($keyname = self::DEFAULT_KEY)
     {
-        if (isset($_COOKIE[$this->_params['session_name']]) &&
-            isset($_COOKIE[$keyname . '_key'])) {
-            $this->_setCookie($keyname, false);
+        if (isset($_COOKIE[$this->_params['session_name']])) {
+            if (isset($_COOKIE[$keyname . '_key'])) {
+                $this->_setCookie($keyname, false);
+                return true;
+            }
+        } elseif (isset($this->_keyCache[$keyname])) {
+            unset($this->_keyCache[$keyname]);
             return true;
         }
 
@@ -204,6 +202,10 @@ public function clearKey($keyname = self::DEFAULT_KEY)
      */
     protected function _setCookie($keyname, $key)
     {
+        if (!isset($_COOKIE[$this->_params['session_name']])) {
+            return;
+        }
+
         @setcookie(
             $keyname . '_key',
             $key,

diff --git a/framework/Secret/package.xml b/framework/Secret/package.xml
@@ -28,6 +28,7 @@
  </stability>
  <license uri="http://www.horde.org/licenses/lgpl21">LGPL-2.1</license>
  <notes>
+* [mms] Only store keys in cookie if cookies are in use (Bug #13284; thomas.jarosch@intra2net.com).
 * [mms] Correctly clear secret key from cookie data (Bug #13283; thomas.jarosch@intra2net.com).
  </notes>
  <contents>
@@ -394,6 +395,7 @@ Initial release as a PEAR package
    <date>2012-11-19</date>
    <license uri="http://www.horde.org/licenses/lgpl21">LGPL-2.1</license>
    <notes>
+* [mms] Only store keys in cookie if cookies are in use (Bug #13284; thomas.jarosch@intra2net.com).
 * [mms] Correctly clear secret key from cookie data (Bug #13283; thomas.jarosch@intra2net.com).
    </notes>
   </release>