diff --git a/apps/user_openid/phpmyid.php b/apps/user_openid/phpmyid.php
index 09538b61ab16a3ffed0f97be75cd19d5cdf08286..5009fa410aac340ba46685375621ee86f9c52e78 100644
--- a/apps/user_openid/phpmyid.php
+++ b/apps/user_openid/phpmyid.php
@@ -1069,6 +1069,9 @@ function destroy_assoc_handle ( $id ) {
session_write_close();
session_id($id);
+ if (OC_Config::getValue( "forcessl", false )) {
+ ini_set("session.cookie_secure", "on");
+ }
session_start();
session_destroy();
@@ -1194,6 +1197,9 @@ function new_assoc ( $expiration ) {
session_write_close();
}
+ if (OC_Config::getValue( "forcessl", false )) {
+ ini_set("session.cookie_secure", "on");
+ }
session_start();
session_regenerate_id('false');
@@ -1265,6 +1271,9 @@ function secret ( $handle ) {
}
session_id($handle);
+ if (OC_Config::getValue( "forcessl", false )) {
+ ini_set("session.cookie_secure", "on");
+ }
session_start();
debug('Started session to acquire key: ' . session_id());
@@ -1467,6 +1476,9 @@ function user_session () {
global $proto, $profile;
session_name('phpMyID_Server');
+ if (OC_Config::getValue( "forcessl", false )) {
+ ini_set("session.cookie_secure", "on");
+ }
@session_start();
$profile['authorized'] = (isset($_SESSION['auth_username'])
diff --git a/files/ajax/timezone.php b/files/ajax/timezone.php
index 93d06611a0d977fb830ad576feca1a0faaf632a7..8e1d2aa1ec132b37677ae99614b81154e23f3128 100644
--- a/files/ajax/timezone.php
+++ b/files/ajax/timezone.php
@@ -1,4 +1,6 @@
<?php
+ // FIXME: this should start a secure session if forcessl is enabled
+ // see lib/base.php for an example
session_start();
$_SESSION['timezone'] = $_GET['time'];
-?>
\ No newline at end of file
+?>
diff --git a/lib/base.php b/lib/base.php
index ec6b2e98df0182aaeb456db3c28cc60ad9892bc4..de2e7a36eeedc41f2b665ec1d86d54babe51e73b 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -80,8 +80,6 @@ class OC{
date_default_timezone_set('Europe/Berlin');
ini_set('arg_separator.output','&');
- ini_set('session.cookie_httponly','1;');
- session_start();
// calculate the documentroot
OC::$DOCUMENTROOT=realpath($_SERVER['DOCUMENT_ROOT']);
@@ -102,6 +100,7 @@ class OC{
// redirect to https site if configured
if( OC_Config::getValue( "forcessl", false )){
+ ini_set("session.cookie_secure", "on");
if(!isset($_SERVER['HTTPS']) or $_SERVER['HTTPS'] != 'on') {
$url = "https://". $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
header("Location: $url");
@@ -109,6 +108,9 @@ class OC{
}
}
+ ini_set('session.cookie_httponly','1;');
+ session_start();
+
// Add the stuff we need always
OC_Util::addScript( "jquery-1.6.4.min" );
OC_Util::addScript( "jquery-ui-1.8.14.custom.min" );
diff --git a/lib/user.php b/lib/user.php
index 3e73b2f10086ebacd59b21dbff337c6f9d5b3768..241d9aa8b1042c158b1829b307ff92e95a88768a 100644
--- a/lib/user.php
+++ b/lib/user.php
@@ -348,9 +348,10 @@ class OC_User {
* @param string $username username to be set
*/
public static function setMagicInCookie($username, $token){
- setcookie("oc_username", $username, time()+60*60*24*15);
- setcookie("oc_token", $token, time()+60*60*24*15);
- setcookie("oc_remember_login", true, time()+60*60*24*15);
+ $secure_cookie = OC_Config::getValue("forcessl", false);
+ setcookie("oc_username", $username, time()+60*60*24*15, '', '', $secure_cookie);
+ setcookie("oc_token", $token, time()+60*60*24*15, '', '', $secure_cookie);
+ setcookie("oc_remember_login", true, time()+60*60*24*15, '', '', $secure_cookie);
}
/**