From 4ea8df21735a9938dcc8e12e1833c86d8782428d Mon Sep 17 00:00:00 2001 From: skodak Date: Sun, 24 Feb 2008 12:46:37 +0000 Subject: [PATCH] MDL-11494 MDL-13623 - support for secure and httponly cookies; merged from MOODLE_19_STABLE --- admin/settings/security.php | 2 ++ lang/en_utf8/admin.php | 4 ++++ lib/moodlelib.php | 7 ++++--- lib/setup.php | 12 ++++++++++-- 4 files changed, 20 insertions(+), 5 deletions(-) diff --git a/admin/settings/security.php b/admin/settings/security.php index 7120396a8480c..7ae451078a2f9 100644 --- a/admin/settings/security.php +++ b/admin/settings/security.php @@ -58,6 +58,8 @@ // "httpsecurity" settingpage $temp = new admin_settingpage('httpsecurity', get_string('httpsecurity', 'admin')); $temp->add(new admin_setting_configcheckbox('loginhttps', get_string('loginhttps', 'admin'), get_string('configloginhttps', 'admin'), 0)); + $temp->add(new admin_setting_configcheckbox('cookiesecure', get_string('cookiesecure', 'admin'), get_string('configcookiesecure', 'admin'), 0)); + $temp->add(new admin_setting_configcheckbox('cookiehttponly', get_string('cookiehttponly', 'admin'), get_string('configcookiehttponly', 'admin'), 0)); $ADMIN->add('security', $temp); diff --git a/lang/en_utf8/admin.php b/lang/en_utf8/admin.php index 4f4cdbdb3b997..b140b18977e09 100644 --- a/lang/en_utf8/admin.php +++ b/lang/en_utf8/admin.php @@ -73,6 +73,8 @@ $string['configclamactlikevirus'] = 'Treat files like viruses'; $string['configclamdonothing'] = 'Treat files as OK'; $string['configclamfailureonupload'] = 'If you have configured clam to scan uploaded files, but it is configured incorrectly or fails to run for some unknown reason, how should it behave? If you choose \'Treat files like viruses\', they\'ll be moved into the quarantine area, or deleted. If you choose \'Treat files as OK\', the files will be moved to the desination directory like normal. Either way, admins will be alerted that clam has failed. If you choose \'Treat files like viruses\' and for some reason clam fails to run (usually because you have entered an invalid pathtoclam), ALL files that are uploaded will be moved to the given quarantine area, or deleted. Be careful with this setting.'; +$string['configcookiehttponly'] = 'Enables new PHP 5.2.0 feature - browsers are instructed to send cookie with real http requests only, cookies should not be accessible by scripting languages. This is not supported in all browsers and it may not be fully compatible with current code. It helps to prevent some types of XSS attacks.'; +$string['configcookiesecure'] = 'If server is accepting only https connections it is recommended to enable sending of secure cookies. If enabled please make sure that web server is not accepting http:// or set up pernament redirection to https:// address. When wwwroot address does not start with https:// this setting is turned off automatically.'; $string['configcountry'] = 'If you set a country here, then this country will be selected by default on new user accounts. To force users to choose a country, just leave this unset.'; $string['configcoursemanager'] = 'This setting allows you to control who appears on the course description. Users need to have at least one of these roles in a course to be shown on the course description for that course.'; $string['configcoursesperpage'] = 'Enter the number of courses to be display per page in a course listing.'; @@ -239,6 +241,8 @@ $string['configzip'] = 'Indicate the location of your zip program (Unix only, optional). If specified, this will be used to create zip archives on the server. If you leave this blank, then Moodle will use internal routines.'; $string['confirmation'] = 'Confirmation'; $string['confirminstall'] = 'You are about to install language pack ($a), are you sure?'; +$string['cookiehttponly'] = 'Only http cookies'; +$string['cookiesecure'] = 'Secure cookies only'; $string['country'] = 'Default country'; $string['coursemanager'] = 'Course managers'; $string['coursemgmt'] = 'Add/edit courses'; diff --git a/lib/moodlelib.php b/lib/moodlelib.php index d276476cd8df4..47ba45eba63a4 100644 --- a/lib/moodlelib.php +++ b/lib/moodlelib.php @@ -2061,7 +2061,7 @@ function require_logout() { error_log('MoodleSessionTest cookie could not be set in moodlelib.php:'.__LINE__); error_log('Headers were already sent in file: '.$file.' on line '.$line); } else { - setcookie('MoodleSessionTest'.$CFG->sessioncookie, '', time() - 3600, $CFG->sessioncookiepath); + setcookie('MoodleSessionTest'.$CFG->sessioncookie, '', time() - 3600, $CFG->sessioncookiepath, '', $CFG->cookiesecure, $CFG->cookiehttponly); } unset($_SESSION['USER']); @@ -2611,6 +2611,7 @@ function set_moodle_cookie($thing) { $days = 60; $seconds = DAYSECS*$days; + // no need to set secure or http cookie only here - it is not secret setCookie($cookiename, '', time() - HOURSECS, $CFG->sessioncookiepath); setCookie($cookiename, rc4encrypt($thing), time()+$seconds, $CFG->sessioncookiepath); } @@ -7752,8 +7753,8 @@ function report_session_error() { moodle_setlocale(); //clear session cookies - setcookie('MoodleSession'.$CFG->sessioncookie, '', time() - 3600, $CFG->sessioncookiepath); - setcookie('MoodleSessionTest'.$CFG->sessioncookie, '', time() - 3600, $CFG->sessioncookiepath); + setcookie('MoodleSession'.$CFG->sessioncookie, '', time() - 3600, $CFG->sessioncookiepath, '', $CFG->cookiesecure, $CFG->cookiehttponly); + setcookie('MoodleSessionTest'.$CFG->sessioncookie, '', time() - 3600, $CFG->sessioncookiepath, '', $CFG->cookiesecure, $CFG->cookiehttponly); //increment database error counters if (isset($CFG->session_error_counter)) { set_config('session_error_counter', 1 + $CFG->session_error_counter); diff --git a/lib/setup.php b/lib/setup.php index 366f394d206ad..1dbc9f90ea400 100644 --- a/lib/setup.php +++ b/lib/setup.php @@ -488,6 +488,14 @@ function addslashes_deep($value) { /// Load up global environment variables + if (!isset($CFG->cookiesecure) or strpos($CFG->wwwroot, 'https://') !== 0) { + $CFG->cookiesecure = false; + } + + if (!isset($CFG->cookiehttponly)) { + $CFG->cookiehttponly = false; + } + //discard session ID from POST, GET and globals to tighten security, //this session fixation prevention can not be used in cookieless mode if (empty($CFG->usesid)) { @@ -509,7 +517,7 @@ function addslashes_deep($value) { if (empty($nomoodlecookie)) { session_name('MoodleSession'.$CFG->sessioncookie); - session_set_cookie_params(0, $CFG->sessioncookiepath); + session_set_cookie_params(0, $CFG->sessioncookiepath, '', $CFG->cookiesecure, $CFG->cookiehttponly); @session_start(); if (! isset($_SESSION['SESSION'])) { $_SESSION['SESSION'] = new object; @@ -517,7 +525,7 @@ function addslashes_deep($value) { if (!empty($_COOKIE['MoodleSessionTest'.$CFG->sessioncookie])) { $_SESSION['SESSION']->has_timed_out = true; } - setcookie('MoodleSessionTest'.$CFG->sessioncookie, $_SESSION['SESSION']->session_test, 0, $CFG->sessioncookiepath); + setcookie('MoodleSessionTest'.$CFG->sessioncookie, $_SESSION['SESSION']->session_test, 0, $CFG->sessioncookiepath, '', $CFG->cookiesecure, $CFG->cookiehttponly); $_COOKIE['MoodleSessionTest'.$CFG->sessioncookie] = $_SESSION['SESSION']->session_test; } if (! isset($_SESSION['USER'])) {