From a20d6f7aed38c3df127d5bd1595dd7fe12590393 Mon Sep 17 00:00:00 2001 From: Denis Chenu Date: Thu, 10 Nov 2016 15:40:37 +0100 Subject: [PATCH] [feature] Set secure cookies by default is connexion is secure --- CHANGELOG.md | 5 +++++ application/config/internal.php | 10 +++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4e0d1bed7bb..8cec8bc04cb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,11 @@ # Change Log Only partial changelog, [commit history](https://framagit.org/Shnoulle/LimeSurvey/commits/2.06_SondagesPro) show all changelog. +## Unreleased + +### Feature +- Set secure cookies by default is connexion is secure + ## [1.1.0] - 2016-11-10 ### Fix diff --git a/application/config/internal.php b/application/config/internal.php index d857668bdd0..c6edcaa8c11 100644 --- a/application/config/internal.php +++ b/application/config/internal.php @@ -47,13 +47,15 @@ ), 'request' => array( 'class'=>'LSHttpRequest', + 'enableCsrfValidation'=>true, // CSRF protection + 'enableCookieValidation'=>false, // Enable to activate cookie protection + 'csrfCookie' => array( + 'secure' => (!empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off'), // @see session + ), 'noCsrfValidationRoutes'=>array( 'remotecontrol', 'plugins/unsecure', ), - - 'enableCsrfValidation'=>true, // CSRF protection - 'enableCookieValidation'=>false // Enable to activate cookie protection ), 'user' => array( 'class' => 'LSWebUser', @@ -87,6 +89,8 @@ 'session' => array( 'cookieParams' => array( 'httponly' => true, + // Set secure if needed , some dumb server need || $_SERVER['SERVER_PORT'] == 443 . See @link http://stackoverflow.com/a/2886224/2239406 + 'secure'=>(!empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off'), ), ), 'messages' => array(