From c7d4e723417f3fad2a306af1f2053cdafde8af43 Mon Sep 17 00:00:00 2001
From: Florian Pritz <bluewind@xinu.at>
Date: Fri, 23 Sep 2011 13:52:10 +0200
Subject: [PATCH] set cookie secure if forcessl is enabled

This also moves session_start in lib/base.php down a bit because we need
OC::$SERVERROOT to get the config settings.

Signed-off-by: Florian Pritz <bluewind@xinu.at>
---
 apps/user_openid/phpmyid.php | 12 ++++++++++++
 files/ajax/timezone.php      |  4 +++-
 lib/base.php                 |  6 ++++--
 lib/user.php                 |  7 ++++---
 4 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/apps/user_openid/phpmyid.php b/apps/user_openid/phpmyid.php
index 09538b61ab..5009fa410a 100644
--- a/apps/user_openid/phpmyid.php
+++ b/apps/user_openid/phpmyid.php
@@ -1069,6 +1069,9 @@ function destroy_assoc_handle ( $id ) {
 	session_write_close();
 
 	session_id($id);
+	if (OC_Config::getValue( "forcessl", false )) {
+		ini_set("session.cookie_secure", "on");
+	}
 	session_start();
 	session_destroy();
 
@@ -1194,6 +1197,9 @@ function new_assoc ( $expiration ) {
 		session_write_close();
 	}
 
+	if (OC_Config::getValue( "forcessl", false )) {
+		ini_set("session.cookie_secure", "on");
+	}
 	session_start();
 	session_regenerate_id('false');
 
@@ -1265,6 +1271,9 @@ function secret ( $handle ) {
 	}
 
 	session_id($handle);
+	if (OC_Config::getValue( "forcessl", false )) {
+		ini_set("session.cookie_secure", "on");
+	}
 	session_start();
 	debug('Started session to acquire key: ' . session_id());
 
@@ -1467,6 +1476,9 @@ function user_session () {
 	global $proto, $profile;
 
 	session_name('phpMyID_Server');
+	if (OC_Config::getValue( "forcessl", false )) {
+		ini_set("session.cookie_secure", "on");
+	}
 	@session_start();
 
 	$profile['authorized'] = (isset($_SESSION['auth_username'])
diff --git a/files/ajax/timezone.php b/files/ajax/timezone.php
index 93d06611a0..8e1d2aa1ec 100644
--- a/files/ajax/timezone.php
+++ b/files/ajax/timezone.php
@@ -1,4 +1,6 @@
 <?php
+	// FIXME: this should start a secure session if forcessl is enabled
+	// see lib/base.php for an example
 	session_start();
 	$_SESSION['timezone'] = $_GET['time'];
-?>
\ No newline at end of file
+?>
diff --git a/lib/base.php b/lib/base.php
index ec6b2e98df..de2e7a36ee 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -80,8 +80,6 @@ class OC{
 
 		date_default_timezone_set('Europe/Berlin');
 		ini_set('arg_separator.output','&amp;');
-		ini_set('session.cookie_httponly','1;');
-		session_start();
 
 		// calculate the documentroot
 		OC::$DOCUMENTROOT=realpath($_SERVER['DOCUMENT_ROOT']);
@@ -102,6 +100,7 @@ class OC{
 
 		// redirect to https site if configured
 		if( OC_Config::getValue( "forcessl", false )){
+			ini_set("session.cookie_secure", "on");
 			if(!isset($_SERVER['HTTPS']) or $_SERVER['HTTPS'] != 'on') {
 				$url = "https://". $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
 				header("Location: $url");
@@ -109,6 +108,9 @@ class OC{
 			}
 		}
 
+		ini_set('session.cookie_httponly','1;');
+		session_start();
+
 		// Add the stuff we need always
 		OC_Util::addScript( "jquery-1.6.4.min" );
 		OC_Util::addScript( "jquery-ui-1.8.14.custom.min" );
diff --git a/lib/user.php b/lib/user.php
index 3e73b2f100..241d9aa8b1 100644
--- a/lib/user.php
+++ b/lib/user.php
@@ -348,9 +348,10 @@ class OC_User {
 	 * @param string $username username to be set
 	 */
 	public static function setMagicInCookie($username, $token){
-		setcookie("oc_username", $username, time()+60*60*24*15);
-		setcookie("oc_token", $token, time()+60*60*24*15);
-		setcookie("oc_remember_login", true, time()+60*60*24*15);
+		$secure_cookie = OC_Config::getValue("forcessl", false);
+		setcookie("oc_username", $username, time()+60*60*24*15, '', '', $secure_cookie);
+		setcookie("oc_token", $token, time()+60*60*24*15, '', '', $secure_cookie);
+		setcookie("oc_remember_login", true, time()+60*60*24*15, '', '', $secure_cookie);
 	}
 
 	/**
-- 
GitLab