1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-12-22 13:45:02 +00:00

Improve security of PHP session variable by setting HttpOnly flag. Fixes #129.

This commit is contained in:
Starbeamrainbowlabs 2016-12-23 21:31:33 +00:00
parent 855079b438
commit d17925a662
3 changed files with 5 additions and 4 deletions

View file

@ -32,6 +32,7 @@
- Improved the search engine indexing algorithm. It now shouldn't choke on certain special characters (`[]{}|`) and will treat them as word boundaries.
- Fixed tag links at the bottom of pages for tags with a single quote (`'`) in them.
- Correct error message when attempting to move a page
- Improved security of PHP session cookie by setting HttpOnly flag.
## v0.12.1

View file

@ -52,7 +52,7 @@ $guiConfig = <<<'GUICONFIG'
}},
"admins": {"type": "array", "description": "An array of usernames that are administrators. Administrators can delete and move pages.", "default": [ "admin" ]},
"anonymous_user_name": { "type": "text", "description": "The default name for anonymous users.", "default": "Anonymous" },
"user_preferences_button_text": { "type": "text", "description": "The text to display on the button that lets logged in users chang their settings. Defaults to a cog (aka a 'gear' in unicode-land).", "default": "&#x2699;" },
"user_preferences_button_text": { "type": "text", "description": "The text to display on the button that lets logged in users chang their settings. Defaults to a cog (aka a 'gear' in unicode-land).", "default": "&#x2699; " },
"use_sha3": {"type": "checkbox", "description": "Whether to use the new sha3 hashing algorithm for passwords etc.", "default": false },
"require_login_view": {"type": "checkbox", "description": "Whether to require that users login before they do anything else. Best used with the data_storage_dir option.", "default": false},
"data_storage_dir": {"type": "text", "description": "The directory in which to store all files, except the main index.php.", "default": "."},
@ -357,7 +357,7 @@ $paths->upload_file_prefix = "Files/"; // The prefix to add to uploaded files
session_start();
// Make sure that the login cookie lasts beyond the end of the user's session
setcookie(session_name(), session_id(), time() + $settings->sessionlifetime);
setcookie(session_name(), session_id(), time() + $settings->sessionlifetime, "", "", false, true);
///////// Login System /////////
// Clear expired sessions
if(isset($_SESSION[$settings->sessionprefix . "-expiretime"]) and
@ -1377,7 +1377,7 @@ class page_renderer
{
$result .= "<span class='inflexible logged-in" . ($env->is_logged_in ? " moderator" : " normal-user") . "'>";
if(module_exists("feature-user-preferences")) {
$result .= "<a href='?action=user-preferences'>$settings->user_preferences_button_text</a> ";
$result .= "<a href='?action=user-preferences'>$settings->user_preferences_button_text</a>";
}
$result .= self::render_username($env->user) . " <small>(<a href='index.php?action=logout'>Logout</a>)</small>";
$result .= "</span>";

View file

@ -39,7 +39,7 @@ $paths->upload_file_prefix = "Files/"; // The prefix to add to uploaded files
session_start();
// Make sure that the login cookie lasts beyond the end of the user's session
setcookie(session_name(), session_id(), time() + $settings->sessionlifetime);
setcookie(session_name(), session_id(), time() + $settings->sessionlifetime, "", "", false, true);
///////// Login System /////////
// Clear expired sessions
if(isset($_SESSION[$settings->sessionprefix . "-expiretime"]) and