Home Explore Help
Sign In
iProspective
/
dolibarr
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

NEW If $dolibarr_main_force_https is set, the flag 'secure' on session
cookie is also set.

Laurent Destailleur 5 years ago
parent
c8b05036a4
commit
ba8ece525d
2 changed files with 5 additions and 5 deletions
Split View Show Diff Stats
  1. 2 2
      htdocs/conf/conf.php.example
  2. 3 3
      htdocs/main.inc.php

+ 2 - 2
htdocs/conf/conf.php.example
View File 

@@ -218,7 +218,7 @@ $dolibarr_main_authentication='dolibarr';
 
 // 0 = No forced redirect
 
 // 1 = Force redirect to https, until SCRIPT_URI start with https into response
 
 // 2 = Force redirect to https, until SERVER["HTTPS"] is 'on' into response
 
-// 'https://my.domain.com' = Force reditect to https using this domain name.
 
+// 'https://my.domain.com' = Force redirect to https using this domain name.
 
 // Warning: If you enable this parameter, your web server must be configured to
 
 // respond URL with https protocol.
 
 // According to your web server setup, some values may works and other not. Try
 
@@ -226,7 +226,7 @@ $dolibarr_main_authentication='dolibarr';
 
 // Default value: 0
 
 // Possible values: 0, 1, 2 or 'https://my.domain.com'
 
 // Examples:
 
-// $dolibarr_main_force_https='0';
 
+// $dolibarr_main_force_https='1';
 
 //
 
 $dolibarr_main_force_https='0';

+ 3 - 3
htdocs/main.inc.php
View File 

@@ -210,7 +210,7 @@ $sessionname = 'DOLSESSID_'.$prefix;
 
 $sessiontimeout = 'DOLSESSTIMEOUT_'.$prefix;
 
 if (!empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime', $_COOKIE[$sessiontimeout]);
 
 session_name($sessionname);
 
-session_set_cookie_params(0, '/', null, false, true); // Add tag httponly on session cookie (same as setting session.cookie_httponly into php.ini). Must be called before the session_start.
 
+session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie (same as setting session.cookie_httponly into php.ini). Must be called before the session_start.
 
 // This create lock, released when session_write_close() or end of page.
 
 // We need this lock as long as we read/write $_SESSION ['vars']. We can remove lock when finished.
 
 if (!defined('NOSESSION'))
 
@@ -625,7 +625,7 @@ if (!defined('NOLOGIN'))
 
 			dol_syslog('User not found, connexion refused');
 
 			session_destroy();
 
 			session_name($sessionname);
 
-			session_set_cookie_params(0, '/', null, false, true); // Add tag httponly on session cookie
 
+			session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie
 
 			session_start();
 
 
 			if ($resultFetchUser == 0)
 
@@ -682,7 +682,7 @@ if (!defined('NOLOGIN'))
 
 			dol_syslog("Can't load user even if session logged. _SESSION['dol_login']=".$login, LOG_WARNING);
 
 			session_destroy();
 
 			session_name($sessionname);
 
-			session_set_cookie_params(0, '/', null, false, true); // Add tag httponly on session cookie
 
+			session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie
 
 			session_start();
 
 
 			if ($resultFetchUser == 0)