From a49f2f5f060f982fa2a03864b9bc0968010b993d Mon Sep 17 00:00:00 2001 From: Kijin Sung Date: Mon, 6 Aug 2018 01:23:22 +0900 Subject: [PATCH] Change Context::isAlwaysSSL() to config('session.use_ssl_cookies') - Main session cookie is httpOnly if use_ssl is true - SSO cookie is always httpOnly --- classes/context/Context.class.php | 30 ++++--------------- classes/mobile/Mobile.class.php | 2 +- common/framework/session.php | 4 +-- common/js/common.js | 2 +- common/tpl/common_layout.html | 3 +- modules/admin/tpl/config_security.html | 8 ++--- modules/member/member.view.php | 2 +- .../skins/ncenter_login/js/ncenter.js | 2 +- 8 files changed, 18 insertions(+), 35 deletions(-) diff --git a/classes/context/Context.class.php b/classes/context/Context.class.php index 904f861e2..ee68ccb23 100644 --- a/classes/context/Context.class.php +++ b/classes/context/Context.class.php @@ -300,7 +300,7 @@ class Context { if($_COOKIE['lang_type'] !== $lang_type) { - setcookie('lang_type', $lang_type, time() + 86400 * 365, '/', null, self::isAlwaysSSL()); + setcookie('lang_type', $lang_type, time() + 86400 * 365, '/', null, !!config('session.use_ssl_cookies')); } } elseif($_COOKIE['lang_type']) @@ -316,7 +316,7 @@ class Context if(!strncasecmp($lang_code, $_SERVER['HTTP_ACCEPT_LANGUAGE'], strlen($lang_code))) { $lang_type = $lang_code; - setcookie('lang_type', $lang_type, time() + 86400 * 365, '/', null, self::isAlwaysSSL()); + setcookie('lang_type', $lang_type, time() + 86400 * 365, '/', null, !!config('session.use_ssl_cookies')); } } } @@ -617,23 +617,6 @@ class Context return self::get('_use_ssl'); } - /** - * Return ssl status - * - * @param boolen $purge_cache Set true to get uncached SSL_enforce value. - * @return boolean (true|false) - */ - public static function isAlwaysSSL($purge_cache = false) - { - static $ssl_only = null; - if(is_null($ssl_only) || $purge_cache === true) - { - $ssl_only = (self::get('site_module_info')->security === 'always' ? true : false); - } - return $ssl_only; - } - - /** * Return default URL * @@ -1714,13 +1697,12 @@ class Context } // If using SSL always - $_use_ssl = self::get('_use_ssl'); - if($_use_ssl == 'always') + if($site_module_info->security == 'always') { $query = self::getRequestUri(ENFORCE_SSL, $domain) . $query; } // optional SSL use - elseif($_use_ssl == 'optional') + elseif($site_module_info->security == 'optional') { $ssl_mode = ((self::get('module') === 'admin') || ($get_vars['module'] === 'admin') || (isset($get_vars['act']) && self::isExistsSSLAction($get_vars['act']))) ? ENFORCE_SSL : RELEASE_SSL; $query = self::getRequestUri($ssl_mode, $domain) . $query; @@ -1786,7 +1768,8 @@ class Context return; } - if(self::isAlwaysSSL()) + $site_module_info = self::get('site_module_info'); + if ($site_module_info->security === 'always') { $ssl_mode = ENFORCE_SSL; } @@ -1801,7 +1784,6 @@ class Context break; } - $site_module_info = self::get('site_module_info'); if ($domain !== null && $domain !== false && $domain !== $site_module_info->domain) { if (!isset($domain_infos[$domain])) diff --git a/classes/mobile/Mobile.class.php b/classes/mobile/Mobile.class.php index ef69cef99..dd7348bfa 100644 --- a/classes/mobile/Mobile.class.php +++ b/classes/mobile/Mobile.class.php @@ -73,7 +73,7 @@ class Mobile $uatype = $uahash . ':' . (self::$_ismobile ? '1' : '0'); if ($cookie !== $uatype) { - setcookie('rx_uatype', $uatype, 0, null, null, Context::isAlwaysSSL()); + setcookie('rx_uatype', $uatype, 0, null, null, !!config('session.use_ssl_cookies')); $_COOKIE['rx_uatype'] = $uatype; } diff --git a/common/framework/session.php b/common/framework/session.php index ee04e7d35..714d33b69 100644 --- a/common/framework/session.php +++ b/common/framework/session.php @@ -80,7 +80,7 @@ class Session ini_set('session.use_cookies', 1); ini_set('session.use_only_cookies', 1); ini_set('session.use_strict_mode', 1); - session_set_cookie_params($lifetime, $path, null, $ssl_only, true); + session_set_cookie_params($lifetime, $path, null, $ssl_only, $ssl_only); session_name($session_name = Config::get('session.name') ?: session_name()); // Get session ID from POST parameter if using relaxed key checks. @@ -295,7 +295,7 @@ class Session if(!$is_default_domain && !\Context::get('sso_response') && $_COOKIE['sso'] !== md5($current_domain)) { // Set sso cookie to prevent multiple simultaneous SSO validation requests. - setcookie('sso', md5($current_domain), 0, '/', null, \Context::isAlwaysSSL(), true); + setcookie('sso', md5($current_domain), 0, '/', null, !!config('session.use_ssl'), true); // Redirect to the default site. $sso_request = Security::encrypt($current_url); diff --git a/common/js/common.js b/common/js/common.js index 7280af53b..29d75687d 100644 --- a/common/js/common.js +++ b/common/js/common.js @@ -1056,7 +1056,7 @@ function setCookie(name, value, expire, path) { var s_cookie = name + "=" + escape(value) + ((!expire) ? "" : ("; expires=" + expire.toGMTString())) + "; path=" + ((!path) ? "/" : path) + - ((enforce_ssl) ? ";secure" : ""); + ((cookies_ssl) ? ";secure" : ""); document.cookie = s_cookie; } diff --git a/common/tpl/common_layout.html b/common/tpl/common_layout.html index a047c8958..d82cf2c11 100644 --- a/common/tpl/common_layout.html +++ b/common/tpl/common_layout.html @@ -55,7 +55,8 @@ var current_mid = {json_encode($mid ?: null)}; var http_port = {Context::get("_http_port") ?: 'null'}; var https_port = {Context::get("_https_port") ?: 'null'}; - var enforce_ssl = {Context::get('_use_ssl') === 'always' ? 'true' : 'false'}; + var enforce_ssl = {$site_module_info->security === 'always' ? 'true' : 'false'}; + var cookies_ssl = {config('session.use_ssl_cookies') ? 'true' : 'false'}; var ssl_actions = {json_encode(array_keys(Context::getSSLActions()))}; var xeVid = null; diff --git a/modules/admin/tpl/config_security.html b/modules/admin/tpl/config_security.html index 9da0452c3..e6dbe3598 100644 --- a/modules/admin/tpl/config_security.html +++ b/modules/admin/tpl/config_security.html @@ -51,8 +51,8 @@
- - + +

{$lang->about_use_session_ssl}

@@ -60,8 +60,8 @@
- - + +

{$lang->about_use_cookies_ssl}

diff --git a/modules/member/member.view.php b/modules/member/member.view.php index 65974fa00..599a9ba0c 100644 --- a/modules/member/member.view.php +++ b/modules/member/member.view.php @@ -192,7 +192,7 @@ class memberView extends member function dispMemberSignUpForm() { //setcookie for redirect url in case of going to member sign up - setcookie("XE_REDIRECT_URL", $_SERVER['HTTP_REFERER'], 0, '/', null, Context::isAlwaysSSL()); + setcookie("XE_REDIRECT_URL", $_SERVER['HTTP_REFERER'], 0, '/', null, !!config('session.use_ssl_cookies')); $member_config = $this->member_config; diff --git a/widgets/login_info/skins/ncenter_login/js/ncenter.js b/widgets/login_info/skins/ncenter_login/js/ncenter.js index 92b073686..87827deff 100644 --- a/widgets/login_info/skins/ncenter_login/js/ncenter.js +++ b/widgets/login_info/skins/ncenter_login/js/ncenter.js @@ -8,7 +8,7 @@ dt.setTime(dt.getTime() + (d * 24 * 60 * 60000)); e = "; expires=" + dt.toGMTString(); } - document.cookie = n + "=" + v + e + "; path=/" + ((enforce_ssl) ? ";secure" : ""); + document.cookie = n + "=" + v + e + "; path=/" + ((cookies_ssl) ? ";secure" : ""); } var n = $('#nc_container');