Permalink
Browse files

Change Context::isAlwaysSSL() to config('session.use_ssl_cookies')

- Main session cookie is httpOnly if use_ssl is true
- SSO cookie is always httpOnly
  • Loading branch information...
kijin committed Aug 5, 2018
1 parent 2c9bb88 commit a49f2f5f060f982fa2a03864b9bc0968010b993d
@@ -300,7 +300,7 @@ public static function init()
{
if($_COOKIE['lang_type'] !== $lang_type)
{
setcookie('lang_type', $lang_type, time() + 86400 * 365, '/', null, self::isAlwaysSSL());
setcookie('lang_type', $lang_type, time() + 86400 * 365, '/', null, !!config('session.use_ssl_cookies'));
}
}
elseif($_COOKIE['lang_type'])
@@ -316,7 +316,7 @@ public static function init()
if(!strncasecmp($lang_code, $_SERVER['HTTP_ACCEPT_LANGUAGE'], strlen($lang_code)))
{
$lang_type = $lang_code;
setcookie('lang_type', $lang_type, time() + 86400 * 365, '/', null, self::isAlwaysSSL());
setcookie('lang_type', $lang_type, time() + 86400 * 365, '/', null, !!config('session.use_ssl_cookies'));
}
}
}
@@ -617,23 +617,6 @@ public static function getSslStatus()
return self::get('_use_ssl');
}
/**
* Return ssl status
*
* @param boolen $purge_cache Set true to get uncached SSL_enforce value.
* @return boolean (true|false)
*/
public static function isAlwaysSSL($purge_cache = false)
{
static $ssl_only = null;
if(is_null($ssl_only) || $purge_cache === true)
{
$ssl_only = (self::get('site_module_info')->security === 'always' ? true : false);
}
return $ssl_only;
}
/**
* Return default URL
*
@@ -1714,13 +1697,12 @@ public static function getUrl($num_args = 0, $args_list = array(), $domain = nul
}
// If using SSL always
$_use_ssl = self::get('_use_ssl');
if($_use_ssl == 'always')
if($site_module_info->security == 'always')
{
$query = self::getRequestUri(ENFORCE_SSL, $domain) . $query;
}
// optional SSL use
elseif($_use_ssl == 'optional')
elseif($site_module_info->security == 'optional')
{
$ssl_mode = ((self::get('module') === 'admin') || ($get_vars['module'] === 'admin') || (isset($get_vars['act']) && self::isExistsSSLAction($get_vars['act']))) ? ENFORCE_SSL : RELEASE_SSL;
$query = self::getRequestUri($ssl_mode, $domain) . $query;
@@ -1786,7 +1768,8 @@ public static function getRequestUri($ssl_mode = FOLLOW_REQUEST_SSL, $domain = n
return;
}
if(self::isAlwaysSSL())
$site_module_info = self::get('site_module_info');
if ($site_module_info->security === 'always')
{
$ssl_mode = ENFORCE_SSL;
}
@@ -1801,7 +1784,6 @@ public static function getRequestUri($ssl_mode = FOLLOW_REQUEST_SSL, $domain = n
break;
}
$site_module_info = self::get('site_module_info');
if ($domain !== null && $domain !== false && $domain !== $site_module_info->domain)
{
if (!isset($domain_infos[$domain]))
@@ -73,7 +73,7 @@ public static function isFromMobilePhone()
$uatype = $uahash . ':' . (self::$_ismobile ? '1' : '0');
if ($cookie !== $uatype)
{
setcookie('rx_uatype', $uatype, 0, null, null, Context::isAlwaysSSL());
setcookie('rx_uatype', $uatype, 0, null, null, !!config('session.use_ssl_cookies'));
$_COOKIE['rx_uatype'] = $uatype;
}
@@ -80,7 +80,7 @@ public static function start($force = false, $relax_key_checks = false)
ini_set('session.use_cookies', 1);
ini_set('session.use_only_cookies', 1);
ini_set('session.use_strict_mode', 1);
session_set_cookie_params($lifetime, $path, null, $ssl_only, true);
session_set_cookie_params($lifetime, $path, null, $ssl_only, $ssl_only);
session_name($session_name = Config::get('session.name') ?: session_name());
// Get session ID from POST parameter if using relaxed key checks.
@@ -295,7 +295,7 @@ public static function checkSSO($site_module_info)
if(!$is_default_domain && !\Context::get('sso_response') && $_COOKIE['sso'] !== md5($current_domain))
{
// Set sso cookie to prevent multiple simultaneous SSO validation requests.
setcookie('sso', md5($current_domain), 0, '/', null, \Context::isAlwaysSSL(), true);
setcookie('sso', md5($current_domain), 0, '/', null, !!config('session.use_ssl'), true);
// Redirect to the default site.
$sso_request = Security::encrypt($current_url);
@@ -1056,7 +1056,7 @@ function setCookie(name, value, expire, path) {
var s_cookie = name + "=" + escape(value) +
((!expire) ? "" : ("; expires=" + expire.toGMTString())) +
"; path=" + ((!path) ? "/" : path) +
((enforce_ssl) ? ";secure" : "");
((cookies_ssl) ? ";secure" : "");
document.cookie = s_cookie;
}
@@ -55,7 +55,8 @@
var current_mid = {json_encode($mid ?: null)};
var http_port = {Context::get("_http_port") ?: 'null'};
var https_port = {Context::get("_https_port") ?: 'null'};
var enforce_ssl = {Context::get('_use_ssl') === 'always' ? 'true' : 'false'};
var enforce_ssl = {$site_module_info->security === 'always' ? 'true' : 'false'};
var cookies_ssl = {config('session.use_ssl_cookies') ? 'true' : 'false'};
var ssl_actions = {json_encode(array_keys(Context::getSSLActions()))};
var xeVid = null;
</script>
@@ -51,17 +51,17 @@
<div class="x_control-group">
<label class="x_control-label">{$lang->use_session_ssl}</label>
<div class="x_controls">
<label for="use_session_ssl_y" class="x_inline"><input type="radio" name="use_session_ssl" id="use_session_ssl_y" value="Y" checked="checked"|cond="$use_session_ssl && $use_ssl === 'always'" disabled="disabled"|cond="$use_ssl !== 'always'" /> {$lang->cmd_yes}</label>
<label for="use_session_ssl_n" class="x_inline"><input type="radio" name="use_session_ssl" id="use_session_ssl_n" value="N" checked="checked"|cond="!$use_session_ssl || $use_ssl !== 'always'" disabled="disabled"|cond="$use_ssl !== 'always'" /> {$lang->cmd_no}</label>
<label for="use_session_ssl_y" class="x_inline"><input type="radio" name="use_session_ssl" id="use_session_ssl_y" value="Y" checked="checked"|cond="$use_session_ssl && $site_module_info->security === 'always'" disabled="disabled"|cond="$site_module_info->security !== 'always'" /> {$lang->cmd_yes}</label>
<label for="use_session_ssl_n" class="x_inline"><input type="radio" name="use_session_ssl" id="use_session_ssl_n" value="N" checked="checked"|cond="!$use_session_ssl || $site_module_info->security !== 'always'" disabled="disabled"|cond="$site_module_info->security !== 'always'" /> {$lang->cmd_no}</label>
<br />
<p class="x_help-block">{$lang->about_use_session_ssl}</p>
</div>
</div>
<div class="x_control-group">
<label class="x_control-label">{$lang->use_cookies_ssl}</label>
<div class="x_controls">
<label for="use_cookies_ssl_y" class="x_inline"><input type="radio" name="use_cookies_ssl" id="use_cookies_ssl_y" value="Y" checked="checked"|cond="$use_cookies_ssl && $use_ssl === 'always'" disabled="disabled"|cond="$use_ssl !== 'always'" /> {$lang->cmd_yes}</label>
<label for="use_cookies_ssl_n" class="x_inline"><input type="radio" name="use_cookies_ssl" id="use_cookies_ssl_n" value="N" checked="checked"|cond="!$use_cookies_ssl || $use_ssl !== 'always'" disabled="disabled"|cond="$use_ssl !== 'always'" /> {$lang->cmd_no}</label>
<label for="use_cookies_ssl_y" class="x_inline"><input type="radio" name="use_cookies_ssl" id="use_cookies_ssl_y" value="Y" checked="checked"|cond="$use_cookies_ssl && $site_module_info->security === 'always'" disabled="disabled"|cond="$site_module_info->security !== 'always'" /> {$lang->cmd_yes}</label>
<label for="use_cookies_ssl_n" class="x_inline"><input type="radio" name="use_cookies_ssl" id="use_cookies_ssl_n" value="N" checked="checked"|cond="!$use_cookies_ssl || $site_module_info->security !== 'always'" disabled="disabled"|cond="$site_module_info->security !== 'always'" /> {$lang->cmd_no}</label>
<br />
<p class="x_help-block">{$lang->about_use_cookies_ssl}</p>
</div>
@@ -192,7 +192,7 @@ function _getDisplayedMemberInfo($memberInfo, $extendFormInfo, $memberConfig)
function dispMemberSignUpForm()
{
//setcookie for redirect url in case of going to member sign up
setcookie("XE_REDIRECT_URL", $_SERVER['HTTP_REFERER'], 0, '/', null, Context::isAlwaysSSL());
setcookie("XE_REDIRECT_URL", $_SERVER['HTTP_REFERER'], 0, '/', null, !!config('session.use_ssl_cookies'));
$member_config = $this->member_config;
@@ -8,7 +8,7 @@
dt.setTime(dt.getTime() + (d * 24 * 60 * 60000));
e = "; expires=" + dt.toGMTString();
}
document.cookie = n + "=" + v + e + "; path=/" + ((enforce_ssl) ? ";secure" : "");
document.cookie = n + "=" + v + e + "; path=/" + ((cookies_ssl) ? ";secure" : "");
}
var n = $('#nc_container');

0 comments on commit a49f2f5

Please sign in to comment.