From 3a1de9f183d077483f2d89162a24b572cffba7a5 Mon Sep 17 00:00:00 2001 From: stekkel Date: Sat, 15 Oct 2005 16:44:59 +0000 Subject: [PATCH] Support for HttpOnly cookies. HttpOnly cookies prohibit access by Javascript. Currently only IE6 supports it. See http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp In order to achieve that the cookie with the session_id also contains the httponly cookie attribute I introduced a new function, sqsession_start which overwrites the cookie set by php by our own cookie containing the session_id and the httponly attribute. All session_start calls are replaced by sqsession_start. git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@10174 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- functions/global.php | 65 ++++++++++++++++++++++++++++++++++++++++---- src/redirect.php | 4 +-- src/right_main.php | 2 +- src/search.php | 4 +-- src/webmail.php | 2 +- 5 files changed, 65 insertions(+), 12 deletions(-) diff --git a/functions/global.php b/functions/global.php index c20249f5..72dc1c3d 100644 --- a/functions/global.php +++ b/functions/global.php @@ -257,9 +257,9 @@ function sqsession_destroy() { global $base_uri; - if (isset($_COOKIE[session_name()])) setcookie(session_name(), '', time() - 5, $base_uri); - if (isset($_COOKIE['username'])) setcookie('username','',time() - 5,$base_uri); - if (isset($_COOKIE['key'])) setcookie('key','',time() - 5,$base_uri); + if (isset($_COOKIE[session_name()])) sqsetcookie(session_name(), '', 0, $base_uri); + if (isset($_COOKIE['username'])) sqsetcookie('username','',0,$base_uri); + if (isset($_COOKIE['key'])) sqsetcookie('key','',0,$base_uri); $sessid = session_id(); if (!empty( $sessid )) { @@ -275,14 +275,67 @@ function sqsession_destroy() { * (even though autoglobal), is not created unless a session is * started, unlike $_POST, $_GET and such */ - function sqsession_is_active() { - $sessid = session_id(); if ( empty( $sessid ) ) { - session_start(); + sqsession_start(); } } +/** + * Function to start the session and store the cookie with the session_id as + * HttpOnly cookie which means that the cookie isn't accessible by javascript + * (IE6 only) + */ +function sqsession_start() { + global $PHP_SELF; + + $dirs = array('|src/.*|', '|plugins/.*|', '|functions/.*|'); + $repl = array('', '', ''); + $base_uri = preg_replace($dirs, $repl, $PHP_SELF); + + session_start(); + $sessid = session_id(); + // session_starts sets the sessionid cookie buth without the httponly var + // setting the cookie again sets the httponly cookie attribute + sqsetcookie(session_name(),$sessid,false,$base_uri); +} + + +/** + * Set a cookie + * @param string $sName The name of the cookie. + * @param string $sValue The value of the cookie. + * @param int $iExpire The time the cookie expires. This is a Unix timestamp so is in number of seconds since the epoch. + * @param string $sPath The path on the server in which the cookie will be available on. + * @param string $sDomain The domain that the cookie is available. + * @param boolean $bSecure Indicates that the cookie should only be transmitted over a secure HTTPS connection. + * @param boolean $bHttpOnly Disallow JS to access the cookie (IE6 only) + * @return void + */ +function sqsetcookie($sName,$sValue,$iExpire=false,$sPath="",$sDomain="",$bSecure=false,$bHttpOnly=true) { + $sHeader = "Set-Cookie: $sName=$sValue"; + if ($sPath) { + $sHeader .= "; Path=\"$sPath\""; + } + if ($iExpire !==false) { + $sHeader .= "; Max-Age=$iExpire"; + } + if ($sPath) { + $sHeader .= "; Path=$sPath"; + } + if ($sDomain) { + $sHeader .= "; Domain=$sDomain"; + } + if ($bSecure) { + $sHeader .= "; Secure"; + } + if ($bHttpOnly) { + $sHeader .= "; HttpOnly"; + } + $sHeader .= "; Version=1"; + + header($sHeader); +} // vim: et ts=4 ?> \ No newline at end of file diff --git a/src/redirect.php b/src/redirect.php index 3a1c3736..83bbdc29 100644 --- a/src/redirect.php +++ b/src/redirect.php @@ -58,7 +58,7 @@ if (!sqgetGlobalVar('mailto', $mailto)) { set_up_language($squirrelmail_language, true); /* Refresh the language cookie. */ -setcookie('squirrelmail_language', $squirrelmail_language, time()+2592000, +sqsetcookie('squirrelmail_language', $squirrelmail_language, time()+2592000, $base_uri); if (!isset($login_username)) { @@ -93,7 +93,7 @@ if (!sqsession_is_registered('user_is_logged_in')) { $username = $login_username; sqsession_register ($username, 'username'); - setcookie('key', $key, 0, $base_uri); + sqsetcookie('key', $key, false, $base_uri); do_hook ('login_verified'); } diff --git a/src/right_main.php b/src/right_main.php index 6c36e3ca..19d6674f 100644 --- a/src/right_main.php +++ b/src/right_main.php @@ -277,7 +277,7 @@ if (isset($aMailbox['FORWARD_SESSION'])) { session_write_close(); // restart the session. Do not use sqsession_is_active because the session_id // isn't empty after a session_write_close - session_start(); + sqsession_start(); if (!preg_match("/^[0-9]{3,4}$/", $compose_width)) { $compose_width = '640'; } diff --git a/src/search.php b/src/search.php index 47eb52e8..526c0035 100644 --- a/src/search.php +++ b/src/search.php @@ -726,7 +726,7 @@ function asearch_get_form_mailbox($imapConnection, &$boxes, $mailbox, $row_num = } /** Build the Include subfolders checkbox - * @todo if(function_exists('addCheckBox')) ? + * @todo if(function_exists('addCheckBox')) ? */ function asearch_get_form_sub($sub, $row_num = 0) { @@ -1360,7 +1360,7 @@ if (isset($aMailbox['FORWARD_SESSION'])) { session_write_close(); // restart the session. Do not use sqsession_is_active because the session_id // isn't empty after a session_write_close - session_start(); + sqsession_start(); if (!preg_match("/^[0-9]{3,4}$/", $compose_width)) { $compose_width = '640'; diff --git a/src/webmail.php b/src/webmail.php index a2dcb105..a4ea43f7 100644 --- a/src/webmail.php +++ b/src/webmail.php @@ -74,7 +74,7 @@ do_hook('webmail_top'); */ $my_language = getPref($data_dir, $username, 'language'); if ($my_language != $squirrelmail_language) { - setcookie('squirrelmail_language', $my_language, time()+2592000, $base_uri); + sqsetcookie('squirrelmail_language', $my_language, time()+2592000, $base_uri); } $err=set_up_language(getPref($data_dir, $username, 'language')); -- 2.25.1