Skip to content
Permalink
Browse files

change cookie for https; updates #1004

- https only if login was https
- add flag cookie to redirect to https
- on logout destroy redirect flag cookie
  • Loading branch information...
Rotzbua authored and teiling88 committed Aug 4, 2016
1 parent 092eaa3 commit 0de94600d3b4ef7c9945f4bd6d25e35f6250d23a
@@ -6,11 +6,18 @@

Name: $opt['session']['cookiename'] . 'data'
File: cookie.class.php
Type: permament
Type: permanent
Contents: - login/session data (login.class.php)
- country & language selection (common.inc.php)
- last search query-id (search.php)
- translation interface mode (translate.php)
Protocol: http/https; depends on $opt['page']['https']['mode'] and protocol during login

Name: $opt['session']['cookiename'] . 'https_session'
File: cookie.class.php
Type: temporary, session created over https and while session is active
Contents: session data only available with https -> force redirect to https if http is used
Protocol: http/https

Name: 'ocgmlastpos'
Type: permanent
@@ -27,7 +34,7 @@ Type: temporary, discarded when browser closes
Contents: current map filter settings
File: map2.tpl

Nmae: 'ocgmfilter_saved'
Name: 'ocgmfilter_saved'
Type: permanent
Contents: saved map filter settings
File: map2.tpl
@@ -20,11 +20,13 @@ public function __construct()
if (isset($_COOKIE[$opt['session']['cookiename'] . 'data'])) {
//get the cookievars-array
$decoded = base64_decode($_COOKIE[$opt['session']['cookiename'] . 'data']);
echo $decoded = base64_decode($_COOKIE[$opt['session']['cookiename'] . 'data'], true);
if ($decoded !== false) {
// TODO replace by safe function
$this->values = @unserialize($decoded);
$this->values = @unserialize($decoded); // bad
//$this->values = @json_decode($decoded, true); // safe
//print_r($this->values);
if (!is_array($this->values)) {
$this->values = array();
}
@@ -74,26 +76,40 @@ public function header()
global $opt;
if ($this->changed === true) {
if (count($this->values) === 0) {
setcookie(
$opt['session']['cookiename'] . 'data',
false,
time() + 31536000,
$opt['session']['path'],
$opt['session']['domain'],
0
);
$value = null;
if (count($this->values) > 0) {
// TODO replace by safe function
$value = base64_encode(serialize($this->values)); // bad
//$value = base64_encode(json_encode($this->values)); // safe
} else {
setcookie(
$opt['session']['cookiename'] . 'data',
// TODO replace by safe function
base64_encode(serialize($this->values)),
time() + 31536000,
$opt['session']['path'],
$opt['session']['domain'],
0
);
$value = false;
}
// https used for request and https is available, then set cookie https only
$https_session = $opt['page']['https']['active']
&& $opt['page']['https']['mode'] != HTTPS_DISABLED
&& $this->is_set('sessionid') // only force https while login
&& !empty($this->get('sessionid'));
setcookie(
$opt['session']['cookiename'] . 'data',
$value,
time() + 365 * 24 * 60 * 60,
$opt['session']['path'],
$opt['session']['domain'],
$https_session // https only?
);
// if site is requested by http no session data is visible, so set cookie as flag to redirect to https
setcookie(
$opt['session']['cookiename'] . 'https_session',
$https_session,
time() + 365 * 24 * 60 * 60,
$opt['session']['path'],
$opt['session']['domain'],
0, // must be available for http
1 // communication only, no js
);
}
}
@@ -106,6 +122,6 @@ public function debug()
public function close()
{
// TODO really nothing?
// maybe destroy cookies here
// maybe destroy variables here
}
}
@@ -14,6 +14,7 @@
global $opt;
if ($opt['session']['mode'] == SAVE_SESSION) {
// Do not use, not completely implemented yet
$cookie = new SessionDataNative();
} else {
$cookie = new SessionDataCookie();
@@ -71,7 +71,8 @@ class login
public function __construct()
{
global $cookie;
// TODO good input evaluation
if ($cookie->is_set('userid') && $cookie->is_set('username')) {
$this->userid = $cookie->get('userid') + 0;
$this->username = $cookie->get('username');
@@ -38,6 +38,9 @@
$tpl->redirect('https://' . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']);
}
$opt['page']['force_https_login'] = true;
} elseif (!empty($_COOKIE[$opt['session']['cookiename'] . 'https_session']) && !$opt['page']['https']['active']) {
// during login was https active -> session data is https only -> redirect to https
$tpl->redirect('https://' . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']);
}

0 comments on commit 0de9460

Please sign in to comment.
You can’t perform that action at this time.