Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

- Patch #170310 by mfb, JohnAlbin: avoid SSL cookie getting over-written by non-SSL cookie.

merge-requests/26/head
Dries Buytaert 2008-08-18 18:56:01 +00:00
parent ba6aa9f515
commit 06379c5470
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
includes/bootstrap.inc
View File

@ -373,6 +373,15 @@ function conf_init() {
$cookie_domain = check_plain($_SERVER['HTTP_HOST']); $cookie_domain = check_plain($_SERVER['HTTP_HOST']);
} }
} }
// To prevent session cookies from being hijacked, a user can configure the
// SSL version of their website to only transfer session cookies via SSL by
// using PHP's session.cookie_secure setting. The browser will then use two
// separate session cookies for the HTTPS and HTTP versions of the site. So we
// must use different session identifiers for HTTPS and HTTP to prevent a
// cookie collision.
if (ini_get('session.cookie_secure')) {
$session_name .= 'SSL';
}
// Strip leading periods, www., and port numbers from cookie domain. // Strip leading periods, www., and port numbers from cookie domain.
$cookie_domain = ltrim($cookie_domain, '.'); $cookie_domain = ltrim($cookie_domain, '.');
if (strpos($cookie_domain, 'www.') === 0) { if (strpos($cookie_domain, 'www.') === 0) {