MDL-11494 MDL-13623 - support for secure and httponly cookies; merged…

… from MOODLE_19_STABLE

admin/settings/security.php

@@ -58,6 +58,8 @@
     // "httpsecurity" settingpage
     $temp = new admin_settingpage('httpsecurity', get_string('httpsecurity', 'admin'));
     $temp->add(new admin_setting_configcheckbox('loginhttps', get_string('loginhttps', 'admin'), get_string('configloginhttps', 'admin'), 0));
+    $temp->add(new admin_setting_configcheckbox('cookiesecure', get_string('cookiesecure', 'admin'), get_string('configcookiesecure', 'admin'), 0));
+    $temp->add(new admin_setting_configcheckbox('cookiehttponly', get_string('cookiehttponly', 'admin'), get_string('configcookiehttponly', 'admin'), 0));
     $ADMIN->add('security', $temp);
 
 

lang/en_utf8/admin.php

@@ -73,6 +73,8 @@
 $string['configclamactlikevirus'] = 'Treat files like viruses';
 $string['configclamdonothing'] = 'Treat files as OK';
 $string['configclamfailureonupload'] = 'If you have configured clam to scan uploaded files, but it is configured incorrectly or fails to run for some unknown reason, how should it behave?  If you choose \'Treat files like viruses\', they\'ll be moved into the quarantine area, or deleted. If you choose \'Treat files as OK\', the files will be moved to the desination directory like normal. Either way, admins will be alerted that clam has failed.  If you choose \'Treat files like viruses\' and for some reason clam fails to run (usually because you have entered an invalid pathtoclam), ALL files that are uploaded will be moved to the given quarantine area, or deleted. Be careful with this setting.';
+$string['configcookiehttponly'] = 'Enables new PHP 5.2.0 feature - browsers are instructed to send cookie with real http requests only, cookies should not be accessible by scripting languages. This is not supported in all browsers and it may not be fully compatible with current code. It helps to prevent some types of XSS attacks.';
+$string['configcookiesecure'] = 'If server is accepting only https connections it is recommended to enable sending of secure cookies. If enabled please make sure that web server is not accepting http:// or set up pernament redirection to https:// address. When <em>wwwroot</em> address does not start with https:// this setting is turned off automatically.';
 $string['configcountry'] = 'If you set a country here, then this country will be selected by default on new user accounts.  To force users to choose a country, just leave this unset.';
 $string['configcoursemanager'] = 'This setting allows you to control who appears on the course description. Users need to have at least one of these roles in a course to be shown on the course description for that course.';
 $string['configcoursesperpage'] = 'Enter the number of courses to be display per page in a course listing.';
@@ -239,6 +241,8 @@
 $string['configzip'] = 'Indicate the location of your zip program (Unix only, optional).  If specified, this will be used to create zip archives on the server.  If you leave this blank, then Moodle will use internal routines.';
 $string['confirmation'] = 'Confirmation';
 $string['confirminstall'] = 'You are about to install language pack ($a), are you sure?';
+$string['cookiehttponly'] = 'Only http cookies';
+$string['cookiesecure'] = 'Secure cookies only';
 $string['country'] = 'Default country';
 $string['coursemanager'] = 'Course managers';
 $string['coursemgmt'] = 'Add/edit courses';

lib/moodlelib.php

@@ -2061,7 +2061,7 @@ function require_logout() {
         error_log('MoodleSessionTest cookie could not be set in moodlelib.php:'.__LINE__);
         error_log('Headers were already sent in file: '.$file.' on line '.$line);
     } else {
-        setcookie('MoodleSessionTest'.$CFG->sessioncookie, '', time() - 3600, $CFG->sessioncookiepath);
+        setcookie('MoodleSessionTest'.$CFG->sessioncookie, '', time() - 3600, $CFG->sessioncookiepath, '', $CFG->cookiesecure, $CFG->cookiehttponly);
     }
 
     unset($_SESSION['USER']);
@@ -2611,6 +2611,7 @@ function set_moodle_cookie($thing) {
     $days = 60;
     $seconds = DAYSECS*$days;
 
+    // no need to set secure or http cookie only here - it is not secret
     setCookie($cookiename, '', time() - HOURSECS, $CFG->sessioncookiepath);
     setCookie($cookiename, rc4encrypt($thing), time()+$seconds, $CFG->sessioncookiepath);
 }
@@ -7752,8 +7753,8 @@ function report_session_error() {
     moodle_setlocale();
 
     //clear session cookies
-    setcookie('MoodleSession'.$CFG->sessioncookie, '', time() - 3600, $CFG->sessioncookiepath);
-    setcookie('MoodleSessionTest'.$CFG->sessioncookie, '', time() - 3600, $CFG->sessioncookiepath);
+    setcookie('MoodleSession'.$CFG->sessioncookie, '', time() - 3600, $CFG->sessioncookiepath, '', $CFG->cookiesecure, $CFG->cookiehttponly);
+    setcookie('MoodleSessionTest'.$CFG->sessioncookie, '', time() - 3600, $CFG->sessioncookiepath, '', $CFG->cookiesecure, $CFG->cookiehttponly);
     //increment database error counters
     if (isset($CFG->session_error_counter)) {
         set_config('session_error_counter', 1 + $CFG->session_error_counter);

lib/setup.php

@@ -488,6 +488,14 @@ function addslashes_deep($value) {
 
 /// Load up global environment variables
 
+    if (!isset($CFG->cookiesecure) or strpos($CFG->wwwroot, 'https://') !== 0) {
+        $CFG->cookiesecure = false;
+    }
+
+    if (!isset($CFG->cookiehttponly)) {
+        $CFG->cookiehttponly = false;
+    }
+
     //discard session ID from POST, GET and globals to tighten security,
     //this session fixation prevention can not be used in cookieless mode
     if (empty($CFG->usesid)) {
@@ -509,15 +517,15 @@ function addslashes_deep($value) {
 
     if (empty($nomoodlecookie)) {
         session_name('MoodleSession'.$CFG->sessioncookie);
-        session_set_cookie_params(0, $CFG->sessioncookiepath);
+        session_set_cookie_params(0, $CFG->sessioncookiepath, '', $CFG->cookiesecure, $CFG->cookiehttponly);
         @session_start();
         if (! isset($_SESSION['SESSION'])) {
             $_SESSION['SESSION'] = new object;
             $_SESSION['SESSION']->session_test = random_string(10);
             if (!empty($_COOKIE['MoodleSessionTest'.$CFG->sessioncookie])) {
                 $_SESSION['SESSION']->has_timed_out = true;
             }
-            setcookie('MoodleSessionTest'.$CFG->sessioncookie, $_SESSION['SESSION']->session_test, 0, $CFG->sessioncookiepath);
+            setcookie('MoodleSessionTest'.$CFG->sessioncookie, $_SESSION['SESSION']->session_test, 0, $CFG->sessioncookiepath, '', $CFG->cookiesecure, $CFG->cookiehttponly);
             $_COOKIE['MoodleSessionTest'.$CFG->sessioncookie] = $_SESSION['SESSION']->session_test;
         }
         if (! isset($_SESSION['USER']))    {