From: Tyler Anthony Romeo Date: Fri, 7 Dec 2012 19:54:20 +0000 (-0500) Subject: (bug 42832) Fixed cookie security when not wpStickHTTPS. X-Git-Tag: 1.31.0-rc.0~21319^2 X-Git-Url: http://git.cyclocoop.org/%7B%24admin_url%7Dcompta/comptes/journal.php?a=commitdiff_plain;h=7921dc1d5bae8d843871b9d782482268b3fefef0;p=lhc%2Fweb%2Fwiklou.git (bug 42832) Fixed cookie security when not wpStickHTTPS. When a user goes to a secure login page, but does not want to stick to HTTPS, reset the session so that all session cookies are not secure otherwise the session won't be setup on HTTP. Change-Id: I54ba02b723442f6d8b585f0f86a572b56be06596 --- diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php index 4980ffb230..a09d5bddf1 100644 --- a/includes/specials/SpecialUserlogin.php +++ b/includes/specials/SpecialUserlogin.php @@ -752,7 +752,7 @@ class LoginForm extends SpecialPage { } function processLogin() { - global $wgMemc, $wgLang, $wgSecureLogin; + global $wgMemc, $wgLang, $wgSecureLogin, $wgCookieSecure; switch ( $this->authenticateUserData() ) { case self::SUCCESS: @@ -1264,15 +1264,21 @@ class LoginForm extends SpecialPage { * Renew the user's session id, using strong entropy */ private function renewSessionId() { - if ( wfCheckEntropy() ) { + global $wgSecureLogin, $wgCookieSecure; + if( $wgSecureLogin && !$this->mStickHTTPS ) { + $wgCookieSecure = false; + } + + // If either we don't trust PHP's entropy, or if we need + // to change cookie settings when logging in because of + // wpStickHTTPS, then change the session ID manually. + $cookieParams = session_get_cookie_params(); + if ( wfCheckEntropy() && $wgCookieSecure == $cookieParams['secure'] ) { session_regenerate_id( false ); } else { - //If we don't trust PHP's entropy, we have to replace the session manually $tmp = $_SESSION; - session_unset(); - session_write_close(); - session_id( MWCryptRand::generateHex( 32 ) ); - session_start(); + session_destroy(); + wfSetupSession( MWCryptRand::generateHex( 32 ) ); $_SESSION = $tmp; } }