more cookie security FS#1490

This patch adds the httponly option to the PHP session cookies and DokuWiki's
auth cookie when supported by the PHP version.

It also adds a new config option 'securecookie' which is enabled by default.
It makes sure the browser will not sent a cookie set via HTTPS over a
non-secured connection. This option has to be disabled for wikis that only
protect the login with SSL but not the whole wiki.

darcs-hash:20080912224922-7ad00-d5275147ba9d17a9f6defa8a51ca720da74ba8a0.gz

conf/dokuwiki.php

@@ -65,10 +65,11 @@ $conf['passcrypt']   = 'smd5';           //Used crypt method (smd5,md5,sha1,ssha
 $conf['defaultgroup']= 'user';           //Default groups new Users are added to
 $conf['superuser']   = '!!not set!!';    //The admin can be user or @group or comma separated list user1,@group1,user2
 $conf['manager']     = '!!not set!!';    //The manager can be user or @group or comma separated list user1,@group1,user2
-$conf['profileconfirm'] = '1';           //Require current password to confirm changes to user profile
+$conf['profileconfirm'] = 1;             //Require current password to confirm changes to user profile
 $conf['disableactions'] = '';            //comma separated list of actions to disable
 $conf['sneaky_index']   = 0;             //check for namespace read permission in index view (0|1) (1 might cause unexpected behavior)
 $conf['auth_security_timeout'] = 900;    //time (seconds) auth data is considered valid, set to 0 to recheck on every page view
+$conf['securecookie'] = 1;               //never send HTTPS cookies via HTTP
 
 /* Advanced Options */
 

inc/auth.php

@@ -135,7 +135,11 @@ function auth_login($user,$pass,$sticky=false,$silent=false){
       $pass   = PMA_blowfish_encrypt($pass,auth_cookiesalt());
       $cookie = base64_encode("$user|$sticky|$pass");
       if($sticky) $time = time()+60*60*24*365; //one year
-      setcookie(DOKU_COOKIE,$cookie,$time,DOKU_REL);
+      if (version_compare(PHP_VERSION, '5.2.0', '>')) {
+          setcookie(DOKU_COOKIE,$cookie,$time,DOKU_REL,'',($conf['securecookie'] && is_ssl()),true);
+      }else{
+          setcookie(DOKU_COOKIE,$cookie,$time,DOKU_REL,'',($conf['securecookie'] && is_ssl()));
+      }
 
       // set session
       $_SESSION[DOKU_COOKIE]['auth']['user'] = $user;
@@ -286,7 +290,12 @@ function auth_logoff(){
   if(isset($_SERVER['REMOTE_USER']))
     unset($_SERVER['REMOTE_USER']);
   $USERINFO=null; //FIXME
-  setcookie(DOKU_COOKIE,'',time()-600000,DOKU_REL);
+
+  if (version_compare(PHP_VERSION, '5.2.0', '>')) {
+    setcookie(DOKU_COOKIE,'',time()-600000,DOKU_REL,($conf['securecookie'] && is_ssl()),true);
+  }else{
+    setcookie(DOKU_COOKIE,'',time()-600000,DOKU_REL,($conf['securecookie'] && is_ssl()));
+  }
 
   if($auth && $auth->canDo('logoff')){
     $auth->logOff();

inc/init.php

@@ -114,7 +114,11 @@
   // init session
   if (!headers_sent() && !defined('NOSESSION')){
     session_name("DokuWiki");
-    session_set_cookie_params(0, DOKU_REL);
+    if (version_compare(PHP_VERSION, '5.2.0', '>')) {
+      session_set_cookie_params(0,DOKU_REL,'',($conf['securecookie'] && is_ssl()),true);
+    }else{
+      session_set_cookie_params(0,DOKU_REL,'',($conf['securecookie'] && is_ssl()));
+    }
     session_start();
   }
 
@@ -341,9 +345,7 @@ function getBaseURL($abs=null){
   if(!$port)  $port = $_SERVER['SERVER_PORT'];
   if(!$port)  $port = 80;
 
-  // see if HTTPS is enabled - apache leaves this empty when not available,
-  // IIS sets it to 'off', 'false' and 'disabled' are just guessing
-  if (preg_match('/^(|off|false|disabled)$/i',$_SERVER['HTTPS'])){
+  if(!is_ssl()){
     $proto = 'http://';
     if ($port == '80') {
       $port='';
@@ -360,6 +362,22 @@ function getBaseURL($abs=null){
   return $proto.$host.$port.$dir;
 }
 
+/**
+ * Check if accessed via HTTPS
+ *
+ * Apache leaves ,$_SERVER['HTTPS'] empty when not available, IIS sets it to 'off'.
+ * 'false' and 'disabled' are just guessing
+ *
+ * @returns bool true when SSL is active
+ */
+function is_ssl(){
+    if (preg_match('/^(|off|false|disabled)$/i',$_SERVER['HTTPS'])){
+        return false;
+    }else{
+        return true;
+    }
+}
+
 /**
  * Append a PHP extension to a given file and adds an exit call
  *

lib/plugins/config/lang/en/lang.php

@@ -99,6 +99,7 @@ $lang['disableactions_wikicode'] = 'View source/Export Raw';
 $lang['disableactions_other'] = 'Other actions (comma separated)';
 $lang['sneaky_index'] = 'By default, DokuWiki will show all namespaces in the index view. Enabling this option will hide those where the user doesn\'t have read permissions. This might result in hiding of accessable subnamespaces. This may make the index unusable with certain ACL setups.';
 $lang['auth_security_timeout'] = 'Authentication Security Timeout (seconds)';
+$lang['securecookie'] = 'Should cookies set via HTTPS only be sent via HTTPS by the browser? Disable this option when only the login of your wiki is secured with SSL but browsing the wiki is done unsecured.';
 
 /* Advanced Options */
 $lang['updatecheck'] = 'Check for updates and security warnings? DokuWiki needs to contact splitbrain.org for this feature.';

lib/plugins/config/settings/config.metadata.php

@@ -123,6 +123,7 @@ $meta['disableactions'] = array('disableactions',
                                 '_combine' => array('subscription' => array('subscribe','unsubscribe'), 'wikicode' => array('source','export_raw'), 'nssubscription' => array('subscribens','unsubscribens')));
 $meta['sneaky_index'] = array('onoff');
 $meta['auth_security_timeout'] = array('numeric');
+$meta['securecookie'] = array('onoff');
 
 $meta['_anti_spam']  = array('fieldset');
 $meta['usewordblock']= array('onoff');