- Timestamp:
- May 30, 2019 5:28:57 AM (5 years ago)
- Location:
- trunk/lib
- Files:
-
- 6 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/lib/App.inc.php
r686 r690 89 89 'redirect_home_url' => '/', 90 90 91 // SSL URL used when redirecting with $app->sslOn().92 'ssl_domain' => null,93 'ssl_enabled' => false,94 95 91 // Use CSRF tokens. See notes in the getCSRFToken() method. 96 92 'csrf_token_enabled' => true, … … 211 207 'tmp_dir' => '/tmp', 212 208 209 // Session files directory. If not defined, the default value from php.ini will be used. 210 'session_dir' => '', 211 213 212 // A key for calculating simple cryptographic signatures. Set using as an environment variables in the httpd.conf with 'SetEnv SIGNING_KEY <key>'. 214 213 // Existing password hashes rely on the same key/salt being used to compare encryptions. … … 383 382 if ($this->getParam('php_timezone')) { 384 383 $this->setTimezone($this->getParam('php_timezone')); 384 } 385 386 // If external request was HTTPS but internal request is HTTP, set $_SERVER['HTTPS']='on', which is used by the application to determine that TLS features should be enabled. 387 if (strtolower(getenv('HTTP_X_FORWARDED_PROTO')) == 'https' && strtolower(getenv('REQUEST_SCHEME')) == 'http') { 388 putenv('HTTPS=on'); // Available via getenv(âŠ) 389 isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] = 'on'; // Available via $_SERVER[âŠ] 385 390 } 386 391 … … 448 453 449 454 // Session parameters. 455 // https://www.php.net/manual/en/session.security.ini.php 456 ini_set('session.cookie_httponly', true); 457 ini_set('session.cookie_secure', getenv('HTTPS') == 'on'); 458 ini_set('session.cookie_samesite', 'Strict'); // Only PHP >= 7.3 459 // TODO: Reliance on gc_maxlifetime is not recommended. Developers should manage the lifetime of sessions with a timestamp by themselves. 460 ini_set('session.cookie_lifetime', 604800); // 7 days. 461 ini_set('session.gc_maxlifetime', 604800); // 7 days. 462 ini_set('session.gc_divisor', 1000); 450 463 ini_set('session.gc_probability', 1); 451 ini_set('session.gc_divisor', 1000);452 ini_set('session.gc_maxlifetime', 43200); // 12 hours453 464 ini_set('session.use_cookies', $this->getParam('session_use_cookies')); 465 ini_set('session.use_only_cookies', true); 454 466 ini_set('session.use_trans_sid', false); 467 ini_set('session.use_strict_mode', true); 455 468 ini_set('session.entropy_file', '/dev/urandom'); 456 469 ini_set('session.entropy_length', '512'); 457 ini_set('session.cookie_httponly', true); 470 ini_set('session.sid_length', '48'); // Only PHP >= 7.1 471 ini_set('session.cache_limiter', 'nocache'); 472 if ('' != $this->getParam('session_dir') && is_dir($this->getParam('session_dir'))) { 473 ini_set('session.save_path', $this->getParam('session_dir')); 474 } 458 475 session_name($this->getParam('session_name')); 459 476 … … 1146 1163 $url = $parts[0]; 1147 1164 $anchor = isset($parts[1]) ? $parts[1] : ''; 1148 // $anchor =1149 1165 1150 1166 // Include the necessary SID if the following is true: … … 1411 1427 * and the session is not already defined in the given $url, the SID is appended as a URI query. 1412 1428 * As with all header generating functions, make sure this is called before any other output. 1429 * Using relative URI with Location: header is valid as per https://tools.ietf.org/html/rfc7231#section-7.1.2 1413 1430 * 1414 1431 * @param string $url The URL the client will be redirected to. … … 1431 1448 $url = $this->getParam('redirect_home_url'); 1432 1449 } 1433 1434 // FIXME: actually, it seems better to continue using a relative URL since we can't guess the port at the reverse proxy (e.g., port 3000 for browser-sync).1435 // if (preg_match('!^/!', $url)) {1436 // // If relative URL is given, prepend site_url, which contains: scheme://hostname[:port]1437 // $url = sprintf('%s%s', $this->getParam('site_url'), $url);k1438 // }1439 1450 1440 1451 $url = $this->url($url, $carry_args, $always_include_sid); … … 1638 1649 } 1639 1650 1640 if ($url == absoluteMe() ) {1651 if ($url == absoluteMe() || $url == getenv('REQUEST_URI')) { 1641 1652 // The URL we are directing to is the current page. 1642 $this->logMsg(sprintf('validBoomerangURL(%s) not valid, same as absoluteMe : %s', $id, $url), LOG_DEBUG, __FILE__, __LINE__);1653 $this->logMsg(sprintf('validBoomerangURL(%s) not valid, same as absoluteMe or REQUEST_URI: %s', $id, $url), LOG_DEBUG, __FILE__, __LINE__); 1643 1654 return false; 1644 1655 } … … 1711 1722 // Defaults. 1712 1723 $expire = (is_numeric($expire) ? $expire : (is_string($expire) ? strtotime($expire) : $expire)); 1713 $secure = $secure ?: (getenv('HTTPS') && $this->getParam('ssl_enabled'));1724 $secure = $secure ?: getenv('HTTPS') == 'on'; 1714 1725 $httponly = $httponly ?: true; 1715 1726 -
trunk/lib/Auth_File.inc.php
r611 r690 324 324 325 325 // Login scripts must have the same 'login' tag for boomerangURL verification/manipulation. 326 $app->setBoomerangURL( absoluteMe(), 'login');326 $app->setBoomerangURL(getenv('REQUEST_URI'), 'login'); 327 327 $app->dieURL($this->_params['login_url']); 328 328 } -
trunk/lib/Auth_SQL.inc.php
r674 r690 610 610 * - remote address is the same as the login remote address 611 611 * 612 * TODO: implement persisten sessions as per https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence 613 * 612 614 * @access public 613 615 */ … … 771 773 772 774 // Login scripts must have the same 'login' tag for boomerangURL verification/manipulation. 773 $app->setBoomerangURL( absoluteMe(), 'login');775 $app->setBoomerangURL(getenv('REQUEST_URI'), 'login'); 774 776 $app->dieURL($this->_params['login_url']); 775 777 } -
trunk/lib/Auth_Simple.inc.php
r685 r690 261 261 262 262 // Login scripts must have the same 'login' tag for boomerangURL verification/manipulation. 263 $app->setBoomerangURL( absoluteMe(), 'login');263 $app->setBoomerangURL(getenv('REQUEST_URI'), 'login'); 264 264 $app->dieURL($this->_params['login_url']); 265 265 } -
trunk/lib/Lock.inc.php
r685 r690 389 389 $app =& App::getInstance(); 390 390 391 $app->dieURL($this->getParam('error_url'), array('lock_id' => $this->data['lock_id'], 'boomerang' => urlencode( absoluteMe())));391 $app->dieURL($this->getParam('error_url'), array('lock_id' => $this->data['lock_id'], 'boomerang' => urlencode(getenv('REQUEST_URI')))); 392 392 } 393 393 -
trunk/lib/Utilities.inc.php
r679 r690 1399 1399 1400 1400 /** 1401 * Returns a fully qualified URL to the current script, including the query. 1401 * Returns a fully qualified URL to the current script, including the query. If you don't need the scheme://, use REQUEST_URI instead. 1402 1402 * 1403 1403 * @return string a full url to the current script
Note: See TracChangeset
for help on using the changeset viewer.