Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

NEW If $dolibarr_main_force_https is set, the flag 'secure' on session

Browse Source 
cookie is also set.
This commit is contained in:
Laurent Destailleur
2020-03-22 01:59:32 +01:00
parent c8b05036a4
commit ba8ece525d
2 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/conf/conf.php.example
View File

@@ -218,7 +218,7 @@ $dolibarr_main_authentication='dolibarr';
// 0 = No forced redirect
// 1 = Force redirect to https, until SCRIPT_URI start with https into response
// 2 = Force redirect to https, until SERVER["HTTPS"] is 'on' into response
// 'https://my.domain.com' = Force reditect to https using this domain name.
// 'https://my.domain.com' = Force redirect to https using this domain name.
// Warning: If you enable this parameter, your web server must be configured to
// respond URL with https protocol.
// According to your web server setup, some values may works and other not. Try
@@ -226,7 +226,7 @@ $dolibarr_main_authentication='dolibarr';
// Default value: 0
// Possible values: 0, 1, 2 or 'https://my.domain.com'
// Examples:
// $dolibarr_main_force_https='0';
// $dolibarr_main_force_https='1';
//
$dolibarr_main_force_https='0';

6
htdocs/main.inc.php
View File

@@ -210,7 +210,7 @@ $sessionname = 'DOLSESSID_'.$prefix;
$sessiontimeout = 'DOLSESSTIMEOUT_'.$prefix;
if (!empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime', $_COOKIE[$sessiontimeout]);
session_name($sessionname);
session_set_cookie_params(0, '/', null, false, true); // Add tag httponly on session cookie (same as setting session.cookie_httponly into php.ini). Must be called before the session_start.
session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie (same as setting session.cookie_httponly into php.ini). Must be called before the session_start.
// This create lock, released when session_write_close() or end of page.
// We need this lock as long as we read/write $_SESSION ['vars']. We can remove lock when finished.
if (!defined('NOSESSION'))
@@ -625,7 +625,7 @@ if (!defined('NOLOGIN'))
dol_syslog('User not found, connexion refused');
session_destroy();
session_name($sessionname);
session_set_cookie_params(0, '/', null, false, true); // Add tag httponly on session cookie
session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie
session_start();
if ($resultFetchUser == 0)
@@ -682,7 +682,7 @@ if (!defined('NOLOGIN'))
dol_syslog("Can't load user even if session logged. _SESSION['dol_login']=".$login, LOG_WARNING);
session_destroy();
session_name($sessionname);
session_set_cookie_params(0, '/', null, false, true); // Add tag httponly on session cookie
session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie
session_start();
if ($resultFetchUser == 0)