HttpOnly flag for session cookie to prevent possible XSS - thx @melbinkm!
This commit is contained in:
azett
parent
9df201725f
commit
34fb2f3e6b
@ -121,6 +121,7 @@ if (isset($_SERVER ['HTTPS'])) {
|
||||
$serverport = "false";
|
||||
// Unterstützung für Apache und IIS
|
||||
ini_set('session.cookie_secure', 1);
|
||||
ini_set('session.cookie_httponly', 1);
|
||||
if (isset($_SERVER ['HTTPS']) && ($_SERVER ['HTTPS'] == '1' || strtolower($_SERVER ['HTTPS']) == 'on')) {
|
||||
$serverport = "https://";
|
||||
} else {
|
||||
|
||||
@ -23,6 +23,8 @@ function cookie_setup() {
|
||||
define('COOKIE_DOMAIN', false);
|
||||
if (!defined('COOKIE_SECURE'))
|
||||
define('COOKIE_SECURE', true);
|
||||
if (!defined('COOKIE_HTTPONLY'))
|
||||
define('COOKIE_HTTPONLY', true);
|
||||
}
|
||||
|
||||
if (!function_exists('wp_get_cookie_login')) :
|
||||
@ -62,20 +64,20 @@ function cookie_set($username, $password, $already_md5 = false, $home = '', $sit
|
||||
else
|
||||
$expire = 0;
|
||||
|
||||
setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE);
|
||||
setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE);
|
||||
setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
|
||||
if ($cookiepath != $sitecookiepath) {
|
||||
setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE);
|
||||
setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE);
|
||||
setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
}
|
||||
}
|
||||
|
||||
function cookie_clear() {
|
||||
setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
|
||||
setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
|
||||
setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
|
||||
setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
|
||||
setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
}
|
||||
|
||||
if (!function_exists('wp_login')) :
|
||||
|
||||
@ -5,7 +5,7 @@ function sess_setup() {
|
||||
session_save_path(SESSION_PATH);
|
||||
|
||||
session_name(SESS_COOKIE);
|
||||
setcookie(SESS_COOKIE, '', 0, '', COOKIE_DOMAIN, COOKIE_SECURE);
|
||||
setcookie(SESS_COOKIE, '', 0, '', COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
|
||||
session_start();
|
||||
}
|
||||
@ -32,7 +32,7 @@ function sess_get($key) {
|
||||
function sess_close() {
|
||||
unset($_SESSION);
|
||||
if (isset($_COOKIE [session_name()])) {
|
||||
setcookie(session_name(), '', time() - 42000, '/', COOKIE_SECURE);
|
||||
setcookie(session_name(), '', time() - 42000, '/', COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
session_set_cookie_params(-42000);
|
||||
}
|
||||
session_destroy();
|
||||
|
||||
@ -64,8 +64,8 @@ function user_login($userid, $pwd, $params = null) {
|
||||
if ($loggedin) {
|
||||
// session_regenerate_id();
|
||||
$expire = time() + 31536000;
|
||||
setcookie(USER_COOKIE, $userid, $expire, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
|
||||
setcookie(PASS_COOKIE, $user ['password'], $expire, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
|
||||
setcookie(USER_COOKIE, $userid, $expire, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
setcookie(PASS_COOKIE, $user ['password'], $expire, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
}
|
||||
|
||||
return $loggedin;
|
||||
@ -76,8 +76,8 @@ function user_logout() {
|
||||
|
||||
if (user_loggedin()) {
|
||||
|
||||
setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
|
||||
setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
|
||||
setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
}
|
||||
|
||||
$loggedin = false;
|
||||
|
||||
@ -292,12 +292,12 @@ if (!function_exists('wp_setcookie')) :
|
||||
$cookiehash = md5($siteurl);
|
||||
}
|
||||
|
||||
setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $cookiepath, COOKIE_SECURE);
|
||||
setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $cookiepath, COOKIE_SECURE);
|
||||
setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $cookiepath, COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $cookiepath, COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
|
||||
if ($cookiepath != $sitecookiepath) {
|
||||
setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $sitecookiepath, COOKIE_SECURE);
|
||||
setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $sitecookiepath, COOKIE_SECURE);
|
||||
setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $sitecookiepath, COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $sitecookiepath, COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
}
|
||||
}
|
||||
endif;
|
||||
@ -305,10 +305,10 @@ endif;
|
||||
if (!function_exists('wp_clearcookie')) :
|
||||
|
||||
function wp_clearcookie() {
|
||||
setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH, COOKIE_SECURE);
|
||||
setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH, COOKIE_SECURE);
|
||||
setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_SECURE);
|
||||
setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_SECURE);
|
||||
setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH, COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH, COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_SECURE, COOKIE_HTTPONLY);
|
||||
}
|
||||
endif;
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user