diff --git a/ChangeLog b/ChangeLog index 3eab2d3fc..79c7e03c5 100755 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,8 @@ $Source$ to Purodha B Blissenbach . * libraries/auth/*: patch #522671 - Add charset when asking for auth, thanks to "nijel". + * main.php3, lines 11-15; libraries/auth/cookie.auth.lib.php3: fixed bug + #522887 Using SSL -> cookies are unsecure. 2002-02-24 Loïc Chapeaux * lang/german.inc.php3: updated thanks to Alexander M. Turek. diff --git a/libraries/auth/cookie.auth.lib.php3 b/libraries/auth/cookie.auth.lib.php3 index 0fc4dc192..c5741499e 100644 --- a/libraries/auth/cookie.auth.lib.php3 +++ b/libraries/auth/cookie.auth.lib.php3 @@ -13,8 +13,11 @@ if (!defined('PMA_COOKIE_AUTH_INCLUDED')) { // Gets the default font sizes PMA_setFontSizes(); - // Defines the cookie path - $cookiePath = substr($SCRIPT_NAME, 0, strrpos($SCRIPT_NAME, '/')); + // Defines the cookie path and whether the server is using https or not + $pma_uri_parts = parse_url($cfgPmaAbsoluteUri); + $cookie_path = substr($pma_uri_parts['path'], 0, strrpos($pma_uri_parts['path'], '/')); + $is_https = ($pma_uri_parts['scheme'] == 'https') ? 1 : 0; + /** * Sorts available languages by their true names @@ -276,7 +279,9 @@ if (uname.value == '') { // The user wants to be logged out -> delete password cookie if (!empty($old_usr)) { - setcookie('pma_cookie_password', '', 0, $GLOBALS['cookiePath']); + setcookie('pma_cookie_password', '', 0, + $GLOBALS['cookie_path'], '' , + $GLOBALS['is_https']); } // The user just logged in @@ -367,9 +372,10 @@ if (uname.value == '') { // Duration = one month for username setcookie('pma_cookie_username', $cfgServer['user'], time() + (60 * 60 * 24 * 30), - $GLOBALS['cookiePath']); + $GLOBALS['cookie_path'], '' , + $GLOBALS['is_https']); // Duration = till the browser is closed for password - setcookie('pma_cookie_password', $cfgServer['password'], 0, $GLOBALS['cookiePath']); + setcookie('pma_cookie_password', $cfgServer['password'], 0, $GLOBALS['cookie_path']); } return TRUE; @@ -386,7 +392,9 @@ if (uname.value == '') { function PMA_auth_fails() { // Deletes password cookie and displays the login form - setcookie('pma_cookie_password', '', 0, $GLOBALS['cookiePath']); + setcookie('pma_cookie_password', '', 0, + $GLOBALS['cookie_path'], '' , + $GLOBALS['is_https']); PMA_auth(); return TRUE; diff --git a/main.php3 b/main.php3 index 27f1c358e..0a60eafc3 100755 --- a/main.php3 +++ b/main.php3 @@ -8,10 +8,12 @@ require('./libraries/grab_globals.lib.php3'); require('./libraries/common.lib.php3'); // Puts the language to use in a cookie that will expire in 30 days -if (!isset($cookiePath)) { - $cookiePath = substr($SCRIPT_NAME, 0, strrpos($SCRIPT_NAME, '/')); +if (!isset($pma_uri_parts)) { + $pma_uri_parts = parse_url($cfgPmaAbsoluteUri); + $cookie_path = substr($pma_uri_parts['path'], 0, strrpos($pma_uri_parts['path'], '/')); + $is_https = ($pma_uri_parts['scheme'] == 'https') ? 1 : 0; } -setcookie('lang', $lang, time() + 60*60*24*30, $cookiePath); +setcookie('lang', $lang, time() + 60*60*24*30, $cookie_path, '', $is_https); // Defines the "item" image depending on text direction $item_img = 'images/item_' . $text_dir . '.gif'; // Handles some variables that may have been sent by the calling script