From d4e00c7bde1ea3e2b6e590767f7e380561cb4dae Mon Sep 17 00:00:00 2001 From: friendica Date: Thu, 8 May 2014 16:28:40 -0700 Subject: turn off ssl cookie protection by default since nobody that has problems with it is apparently able to debug it. PLEASE turn it on by util/config system ssl_cookie_protection 1 if you use SSL. Please debug it if you have a problem and have any basic technical skills at all and tell us why it doesn't work so we can fix it and turn this on by default because it is very very very important. --- index.php | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) (limited to 'index.php') diff --git a/index.php b/index.php index 6019cecd3..36ff74169 100755 --- a/index.php +++ b/index.php @@ -55,6 +55,17 @@ if(! $a->install) { call_hooks('init_1'); load_translation_table($a->language); + // Force the cookie to be secure (https only) if this site is SSL enabled. Must be done before session_start(). + + if((! $a->install) && intval($a->config['system']['ssl_cookie_protection'])) { + $arr = session_get_cookie_params(); + session_set_cookie_params( + ((isset($arr['lifetime'])) ? $arr['lifetime'] : 60*5), + ((isset($arr['path'])) ? $arr['path'] : '/'), + ((isset($arr['domain'])) ? $arr['domain'] : $a->get_hostname()), + ((isset($_SERVER['HTTPS'])) ? true : false), + ((isset($arr['httponly'])) ? $arr['httponly'] : true)); + } } else { // load translations but do not check plugins as we have no database @@ -73,15 +84,6 @@ else { * */ -// Force the cookie to be secure (https only) if this site is SSL enabled. Must be done before session_start(). - -$arr = session_get_cookie_params(); -session_set_cookie_params( - ((isset($arr['lifetime'])) ? $arr['lifetime'] : 60*5), - ((isset($arr['path'])) ? $arr['path'] : '/'), - ((isset($arr['domain'])) ? $arr['domain'] : $a->get_hostname()), - ((isset($_SERVER['HTTPS'])) ? true : false), - ((isset($arr['httponly'])) ? $arr['httponly'] : true)); session_start(); /** -- cgit v1.2.3 From c410406922f23688459f7279b01e89897725f8a2 Mon Sep 17 00:00:00 2001 From: friendica Date: Thu, 8 May 2014 16:33:35 -0700 Subject: remove the redundant install check --- index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'index.php') diff --git a/index.php b/index.php index 36ff74169..ed3c25f07 100755 --- a/index.php +++ b/index.php @@ -57,7 +57,7 @@ if(! $a->install) { load_translation_table($a->language); // Force the cookie to be secure (https only) if this site is SSL enabled. Must be done before session_start(). - if((! $a->install) && intval($a->config['system']['ssl_cookie_protection'])) { + if(intval($a->config['system']['ssl_cookie_protection'])) { $arr = session_get_cookie_params(); session_set_cookie_params( ((isset($arr['lifetime'])) ? $arr['lifetime'] : 60*5), -- cgit v1.2.3 From 4cf684a701fcf175bf2104bef66f91ac7549818f Mon Sep 17 00:00:00 2001 From: friendica Date: Thu, 8 May 2014 18:50:33 -0700 Subject: better checking for SSL servers, even though it probably doesn't fix the cookie bug --- index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'index.php') diff --git a/index.php b/index.php index ed3c25f07..a07c1a633 100755 --- a/index.php +++ b/index.php @@ -63,7 +63,7 @@ if(! $a->install) { ((isset($arr['lifetime'])) ? $arr['lifetime'] : 60*5), ((isset($arr['path'])) ? $arr['path'] : '/'), ((isset($arr['domain'])) ? $arr['domain'] : $a->get_hostname()), - ((isset($_SERVER['HTTPS'])) ? true : false), + ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false), ((isset($arr['httponly'])) ? $arr['httponly'] : true)); } } -- cgit v1.2.3