From 188823c074fb3ba8d20a9e929d493f439add2ce0 Mon Sep 17 00:00:00 2001 From: csteipp Date: Thu, 29 Aug 2013 13:40:07 -0700 Subject: [PATCH] Remove prefix from forceHTTPS cookie Match CentralAuth, and set appropriate expiration too. Bug: 53538 Change-Id: I3c16ff92781e1a72346058ae3838d8fc47019d55 --- includes/User.php | 35 ++++++++++++++++++++++++++--------- includes/Wiki.php | 2 +- 2 files changed, 27 insertions(+), 10 deletions(-) diff --git a/includes/User.php b/includes/User.php index 25b35b34d9..f70b50e8a9 100644 --- a/includes/User.php +++ b/includes/User.php @@ -3134,19 +3134,24 @@ class User { * true: Force setting the secure attribute when setting the cookie * false: Force NOT setting the secure attribute when setting the cookie * null (default): Use the default ($wgCookieSecure) to set the secure attribute + * @param array $params Array of options sent passed to WebResponse::setcookie() */ - protected function setCookie( $name, $value, $exp = 0, $secure = null ) { - $this->getRequest()->response()->setcookie( $name, $value, $exp, array( - 'secure' => $secure, - ) ); + protected function setCookie( $name, $value, $exp = 0, $secure = null, $params = array() ) { + $params['secure'] = $secure; + $this->getRequest()->response()->setcookie( $name, $value, $exp, $params ); } /** * Clear a cookie on the user's client * @param string $name Name of the cookie to clear + * @param bool $secure + * true: Force setting the secure attribute when setting the cookie + * false: Force NOT setting the secure attribute when setting the cookie + * null (default): Use the default ($wgCookieSecure) to set the secure attribute + * @param array $params Array of options sent passed to WebResponse::setcookie() */ - protected function clearCookie( $name ) { - $this->setCookie( $name, '', time() - 86400 ); + protected function clearCookie( $name, $secure = null, $params = array() ) { + $this->setCookie( $name, '', time() - 86400, $secure, $params ); } /** @@ -3204,10 +3209,22 @@ class User { /** * If wpStickHTTPS was selected, also set an insecure cookie that * will cause the site to redirect the user to HTTPS, if they access - * it over HTTP. Bug 29898. + * it over HTTP. Bug 29898. Use an un-prefixed cookie, so it's the same + * as the one set by centralauth (bug 53538). Also set it to session, or + * standard time setting, based on if rememberme was set. */ if ( $request->getCheck( 'wpStickHTTPS' ) || $this->requiresHTTPS() ) { - $this->setCookie( 'forceHTTPS', 'true', time() + 2592000, false ); //30 days + $time = null; + if ( ( 1 == $this->getOption( 'rememberpassword' ) ) ) { + $time = 0; // set to $wgCookieExpiration + } + $this->setCookie( + 'forceHTTPS', + 'true', + $time, + false, + array( 'prefix' => '' ) // no prefix + ); } } @@ -3231,7 +3248,7 @@ class User { $this->clearCookie( 'UserID' ); $this->clearCookie( 'Token' ); - $this->clearCookie( 'forceHTTPS' ); + $this->clearCookie( 'forceHTTPS', false, array( 'prefix' => '' ) ); // Remember when user logged out, to prevent seeing cached pages $this->setCookie( 'LoggedOut', time(), time() + 86400 ); diff --git a/includes/Wiki.php b/includes/Wiki.php index 6ac9341f3a..35fa8e66d5 100644 --- a/includes/Wiki.php +++ b/includes/Wiki.php @@ -508,7 +508,7 @@ class MediaWiki { // preference set, redirect them to HTTPS. if ( ( - $request->getCookie( 'forceHTTPS' ) || + $request->getCookie( 'forceHTTPS', '' ) || // Avoid checking the user and groups unless it's enabled. ( $this->context->getUser()->isLoggedIn() -- 2.20.1