From 7921dc1d5bae8d843871b9d782482268b3fefef0 Mon Sep 17 00:00:00 2001 From: Tyler Anthony Romeo Date: Fri, 7 Dec 2012 14:54:20 -0500 Subject: [PATCH] (bug 42832) Fixed cookie security when not wpStickHTTPS. When a user goes to a secure login page, but does not want to stick to HTTPS, reset the session so that all session cookies are not secure otherwise the session won't be setup on HTTP. Change-Id: I54ba02b723442f6d8b585f0f86a572b56be06596 --- includes/specials/SpecialUserlogin.php | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php index 4980ffb230..a09d5bddf1 100644 --- a/includes/specials/SpecialUserlogin.php +++ b/includes/specials/SpecialUserlogin.php @@ -752,7 +752,7 @@ class LoginForm extends SpecialPage { } function processLogin() { - global $wgMemc, $wgLang, $wgSecureLogin; + global $wgMemc, $wgLang, $wgSecureLogin, $wgCookieSecure; switch ( $this->authenticateUserData() ) { case self::SUCCESS: @@ -1264,15 +1264,21 @@ class LoginForm extends SpecialPage { * Renew the user's session id, using strong entropy */ private function renewSessionId() { - if ( wfCheckEntropy() ) { + global $wgSecureLogin, $wgCookieSecure; + if( $wgSecureLogin && !$this->mStickHTTPS ) { + $wgCookieSecure = false; + } + + // If either we don't trust PHP's entropy, or if we need + // to change cookie settings when logging in because of + // wpStickHTTPS, then change the session ID manually. + $cookieParams = session_get_cookie_params(); + if ( wfCheckEntropy() && $wgCookieSecure == $cookieParams['secure'] ) { session_regenerate_id( false ); } else { - //If we don't trust PHP's entropy, we have to replace the session manually $tmp = $_SESSION; - session_unset(); - session_write_close(); - session_id( MWCryptRand::generateHex( 32 ) ); - session_start(); + session_destroy(); + wfSetupSession( MWCryptRand::generateHex( 32 ) ); $_SESSION = $tmp; } } -- 2.20.1