Fixed bug #522887 - Using SSL -> cookies are unsecure

ChangeLog

@@ -12,6 +12,8 @@ $Source$
 	  to Purodha B Blissenbach <purodha at sourceforge.net>.
 	* libraries/auth/*: patch #522671 - Add charset when asking for auth,
 	  thanks to "nijel".
+	* main.php3, lines 11-15; libraries/auth/cookie.auth.lib.php3: fixed bug
+	  #522887 Using SSL -> cookies are unsecure.
 
 2002-02-24 Lo<4C>c Chapeaux  <lolo@phpheaven.net>
 	* lang/german.inc.php3: updated thanks to Alexander M. Turek.

libraries/auth/cookie.auth.lib.php3

@@ -13,8 +13,11 @@ if (!defined('PMA_COOKIE_AUTH_INCLUDED')) {
 
     // Gets the default font sizes
     PMA_setFontSizes();
-    // Defines the cookie path
-    $cookiePath = substr($SCRIPT_NAME, 0, strrpos($SCRIPT_NAME, '/'));
+    // Defines the cookie path and whether the server is using https or not
+    $pma_uri_parts = parse_url($cfgPmaAbsoluteUri);
+    $cookie_path   = substr($pma_uri_parts['path'], 0, strrpos($pma_uri_parts['path'], '/'));
+    $is_https      = ($pma_uri_parts['scheme'] == 'https') ? 1 : 0;
+
 
     /**
      * Sorts available languages by their true names
@@ -276,7 +279,9 @@ if (uname.value == '') {
 
         // The user wants to be logged out -> delete password cookie
         if (!empty($old_usr)) {
-            setcookie('pma_cookie_password', '', 0, $GLOBALS['cookiePath']);
+            setcookie('pma_cookie_password', '', 0,
+                      $GLOBALS['cookie_path'], '' ,
+                      $GLOBALS['is_https']);
         }
 
         // The user just logged in
@@ -367,9 +372,10 @@ if (uname.value == '') {
             // Duration = one month for username
             setcookie('pma_cookie_username', $cfgServer['user'],
                 time() + (60 * 60 * 24 * 30),
-                $GLOBALS['cookiePath']);
+                $GLOBALS['cookie_path'], '' ,
+                $GLOBALS['is_https']);
             // Duration = till the browser is closed for password
-            setcookie('pma_cookie_password', $cfgServer['password'], 0, $GLOBALS['cookiePath']);
+            setcookie('pma_cookie_password', $cfgServer['password'], 0, $GLOBALS['cookie_path']);
         }
 
         return TRUE;
@@ -386,7 +392,9 @@ if (uname.value == '') {
     function PMA_auth_fails()
     {
         // Deletes password cookie and displays the login form
-        setcookie('pma_cookie_password', '', 0, $GLOBALS['cookiePath']);
+        setcookie('pma_cookie_password', '', 0,
+                  $GLOBALS['cookie_path'], '' ,
+                  $GLOBALS['is_https']);
         PMA_auth();
 
         return TRUE;

main.php3

@@ -8,10 +8,12 @@
 require('./libraries/grab_globals.lib.php3');
 require('./libraries/common.lib.php3');
 // Puts the language to use in a cookie that will expire in 30 days
-if (!isset($cookiePath)) {
-    $cookiePath = substr($SCRIPT_NAME, 0, strrpos($SCRIPT_NAME, '/'));
+if (!isset($pma_uri_parts)) {
+    $pma_uri_parts = parse_url($cfgPmaAbsoluteUri);
+    $cookie_path   = substr($pma_uri_parts['path'], 0, strrpos($pma_uri_parts['path'], '/'));
+    $is_https      = ($pma_uri_parts['scheme'] == 'https') ? 1 : 0;
 }
-setcookie('lang', $lang, time() + 60*60*24*30, $cookiePath);
+setcookie('lang', $lang, time() + 60*60*24*30, $cookie_path, '', $is_https);
 // Defines the "item" image depending on text direction
 $item_img = 'images/item_' . $text_dir . '.gif';
 // Handles some variables that may have been sent by the calling script