Changeset 633 for branches/1.1dev

Timestamp:

Aug 9, 2018 10:21:49 PM (6 years ago)

Author:

anonymous

Message:

Add disabled session_use_trans_sid to defaults

Location:

branches/1.1dev

Files:

• config/defaults.inc.php (modified) (1 diff)
• lib/App.inc.php (modified) (2 diffs)

branches/1.1dev/config/defaults.inc.php

@@ -68 +68 @@
 // Use php sessions?
 setDefault($CFG->enable_session, true);
+
+// Pass the session-id through URLs if cookies are not enabled?
+// Disable this to prevent session ID theft.
+setDefault($CFG->session_use_trans_sid, false);
 
 // Use mysql-based sessions?

branches/1.1dev/lib/App.inc.php

@@ -546 +546 @@
     // - sessions are enabled
     // - the link stays on our site
-    // - transparent SID propogation with session.use_trans_sid is not being used OR url begins with protocol (using_trans_sid has no effect here)
+    // - transparent SID propagation with session.use_trans_sid is not being used OR url begins with protocol (using_trans_sid has no effect here)
     // OR
     // - we must include the SID because we say so (it's used in a context where cookies will not be effective, ie. moving from http to https)
@@ -558 +558 @@
                     || !$CFG->session_use_cookies
                 )
+                && $CFG->session_use_trans_sid
                 && $CFG->enable_session
                 && isMyDomain($url)