DRY: set (secure) cookies using rcmail::setcookie() + set session.only_use_cookies

16 years ago · cefd1d8c91
parent cc4b36b143
commit cefd1d8c91
3 changed files with 19 additions and 7 deletions
--- a/program/include/iniset.php
+++ b/program/include/iniset.php
@ -52,6 +52,7 @@ if (set_include_path($include_path) === false) {

 ini_set('session.name', 'roundcube_sessid');
 ini_set('session.use_cookies', 1);
+ini_set('session.only_use_cookies', 1);
 ini_set('session.gc_maxlifetime', 21600);
 ini_set('session.gc_divisor', 500);
 ini_set('error_reporting', E_ALL&~E_NOTICE);
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@ -728,9 +728,7 @@ class rcmail
      if (!$valid || ($_SERVER['REQUEST_METHOD']!='POST' && $now - $_SESSION['auth_time'] > 300)) {
        $_SESSION['last_auth'] = $_SESSION['auth_time'];
        $_SESSION['auth_time'] = $now;
-        $cookie = session_get_cookie_params();
-        setcookie('sessauth', $this->get_auth_hash(session_id(), $now), 0, $cookie['path'],
-                  $cookie['domain'], $_SERVER['HTTPS'] && ($_SERVER['HTTPS']!='off'));
+        rcmail::setcookie('sessauth', $this->get_auth_hash(session_id(), $now), 0);
      }
    }
    else {
@ -753,7 +751,7 @@ class rcmail
  public function kill_session()
  {
    $_SESSION = array('language' => $this->user->language, 'auth_time' => time(), 'temp' => true);
-    setcookie('sessauth', '-del-', time() - 60);
+    rcmail::setcookie('sessauth', '-del-', time() - 60);
    $this->user->reset();
  }

@ -911,6 +909,21 @@ class rcmail
    }
    return $url;
  }
+
+
+  /**
+   * Helper method to set a cookie with the current path and host settings
+   *
+   * @param string Cookie name
+   * @param string Cookie value
+   * @param string Expiration time
+   */
+  public static function setcookie($name, $value, $exp = 0)
+  {
+    $cookie = session_get_cookie_params();
+    setcookie($name, $value, $exp, $cookie['path'], $cookie['domain'],
+      ($_SERVER['HTTPS'] && ($_SERVER['HTTPS'] != 'off')));
+  }
 }


--- a/program/include/session.inc
+++ b/program/include/session.inc
@ -183,9 +183,7 @@ function rcube_sess_regenerate_id()
  $cookie   = session_get_cookie_params();
  $lifetime = $cookie['lifetime'] ? time() + $cookie['lifetime'] : 0;

-  setcookie(session_name(), '', time() - 3600);
-  setcookie(session_name(), $random, $lifetime, $cookie['path'], $cookie['domain'],
-            $_SERVER['HTTPS'] && ($_SERVER['HTTPS']!='off'));
+  rcmail::setcookie(session_name(), $random, $lifetime);

  return true;
 }