Enable secure cookies #6868
Enable secure cookies #6868
Conversation
Enables secure cookies for authentication when HTTPS is used.
|
|
|
Auto-Deploy finished, Test PR at http://6868.ci.librenms.org or https://6868.ci.librenms.org |
config.php.default
Outdated
| @@ -49,3 +49,6 @@ $config['enable_billing'] = 1; | |||
|
|
|||
| # Enable the in-built services support (Nagios plugins) | |||
| $config['show_services'] = 1; | |||
|
|
|||
| # Uncomment the following line if you're using HTTPS and want secure session cookies | |||
| # ini_set('session.cookie_secure', 1); | |||
There was a problem hiding this comment.
Don't put code in this file, only config definitions.
You can move this to init.php
Also, any reason not to do this by default? Does it break setups that don't have http?
Commented out because having this enabled will prevent the server from sending cookies over HTTPS.
|
Auto-Deploy finished, Test PR at http://6868.ci.librenms.org or https://6868.ci.librenms.org |
1 similar comment
|
Auto-Deploy finished, Test PR at http://6868.ci.librenms.org or https://6868.ci.librenms.org |
|
@murrant, the Travis CI build failed, but I don't think it is as a result of my code as the lines I added were commented out and the error related to a syslog test that appears to be a result of the previous merge. |
| setcookie('sess_id', $sess_id, $expiration, '/', null, false, true); | ||
| setcookie('token', $token_id, $expiration, '/', null, false, true); | ||
| setcookie('auth', $auth, $expiration, '/', null, false, true); | ||
| // Params: name, value, expire, path, domain, secure, httponly |
There was a problem hiding this comment.
you can get rid of all of these comments.
| // Params: name, value, expire, path, domain, secure, httponly | ||
| // We set the secure param to $_SERVER["HTTPS"], which will return true | ||
| // and make it a secure cookie if HTTPS is being used | ||
| setcookie('sess_id', $sess_id, $expiration, '/', null, $_SERVER["HTTPS"], true); |
There was a problem hiding this comment.
I'm not really sure we should just be basing it on if the user is connecting over https or not as surely that's what we have now.
Would it not be better to have the user set in config.php if the connection should be secure and use that variable here?
There was a problem hiding this comment.
I'll set an option in config.php.
includes/init.php
Outdated
| @@ -90,6 +90,9 @@ | |||
| require $install_dir . '/includes/definitions.inc.php'; | |||
| include $install_dir . '/config.php'; | |||
|
|
|||
| # Uncomment the following line if you're using HTTPS and want secure session cookies | |||
There was a problem hiding this comment.
Please use // instead of # just to be consistent.
We should use the same config variable we would use in setcookie() to also run this ini_set() which would be better placed in includes/process_config.inc.php
|
Auto-Deploy finished, Test PR at http://6868.ci.librenms.org or https://6868.ci.librenms.org |
|
Auto-Deploy finished, Test PR at http://6868.ci.librenms.org or https://6868.ci.librenms.org |
|
Auto-Deploy finished, Test PR at http://6868.ci.librenms.org or https://6868.ci.librenms.org |
1 similar comment
|
Auto-Deploy finished, Test PR at http://6868.ci.librenms.org or https://6868.ci.librenms.org |
|
Auto-Deploy finished, Test PR at http://6868.ci.librenms.org or https://6868.ci.librenms.org |
2 similar comments
|
Auto-Deploy finished, Test PR at http://6868.ci.librenms.org or https://6868.ci.librenms.org |
|
Auto-Deploy finished, Test PR at http://6868.ci.librenms.org or https://6868.ci.librenms.org |
|
I've pushed a fix for the travis failures, you'll have to merge it to fix your build failure. |
|
DO NOT DELETE THIS TEXT Please note
TestersIf you would like to test this pull request then please run: Forgot to include this earlier, sorry. |
config.php.default
Outdated
| @@ -49,3 +49,6 @@ $config['enable_billing'] = 1; | |||
|
|
|||
| # Enable the in-built services support (Nagios plugins) | |||
| $config['show_services'] = 1; | |||
|
|
|||
| # Whether to use secure cookies. Should be true if you're using HTTPS | |||
| $config['secure_cookies'] = false; | |||
There was a problem hiding this comment.
Lets move this to includes/defaults.inc.php and then this looks good to go.
Thanks for discussing in depth :)
|
There's a bit of an issue. When I try and apply the patch it says |
|
The git issue is fixed - it still complains about whitespace, but it applies the patches. |
|
The inspection completed: No new issues |
|
LGTM |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. |
This will enable secure cookies automatically over HTTPS and has a line in
config.default.phpthat can be uncommented to enable secure session cookies.Would you like me to add any documentation on the line in
config.default.php?Testers
If you would like to test this pull request then please run:
./scripts/github-apply <pr_id>, i.e./scripts/github-apply 5926fixes: #6866