Permalink
Browse files

MDL-29312 prevent cookieless mode for security reasons

  • Loading branch information...
skodak committed Sep 11, 2011
1 parent 4f65f98 commit f0a75425cb675c8f05a76e55204fbafe7b95127f
Showing with 4 additions and 9 deletions.
  1. +0 −2 auth/mnet/auth.php
  2. +4 −7 lib/sessionlib.php
View
@@ -890,8 +890,6 @@ function keepalive_server($array) {
global $CFG, $DB;
$remoteclient = get_mnet_remote_client();
$CFG->usesid = true;
// We don't want to output anything to the client machine
$start = ob_start();
View
@@ -106,7 +106,7 @@ public function __construct() {
if (NO_MOODLE_COOKIES) {
// session not used at all
$CFG->usesid = 0;
$CFG->usesid = false;
$_SESSION = array();
$_SESSION['SESSION'] = new stdClass();
@@ -118,12 +118,9 @@ public function __construct() {
$newsession = empty($_COOKIE['MoodleSession'.$CFG->sessioncookie]);
if (!empty($CFG->usesid) && $newsession) {
sid_start_ob();
} else {
$CFG->usesid = 0;
ini_set('session.use_trans_sid', '0');
}
// cookieless mode is prevented for security reasons
$CFG->usesid = false;
ini_set('session.use_trans_sid', '0');
session_name('MoodleSession'.$CFG->sessioncookie);
session_set_cookie_params(0, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $CFG->cookiesecure, $CFG->cookiehttponly);

0 comments on commit f0a7542

Please sign in to comment.