Commit 80d81d4e authored by lphuberdeau's avatar lphuberdeau

[NEW] Preference to prevent from accessing the site outside HTTPS to prevent session hijack

parent ea57ff05
......@@ -40,5 +40,11 @@ function prefs_session_list() {
'perspective' => false,
'size' => 10,
),
'session_protected' => array(
'name' => tra('Protect all sessions'),
'description' => tra('Always redirect to HTTPS to prevent session hijack through network sniffing.'),
'type' => 'flag',
'perspective' => false,
),
);
}
......@@ -1606,6 +1606,7 @@ function get_default_prefs() {
'session_lifetime' => 0,
'session_silent' => 'n',
'session_cookie_name' => session_name(),
'session_protected' => 'n',
'shoutbox_autolink' => 'n',
'show_comzone' => 'n',
'tikiIndex' => 'tiki-index.php',
......
......@@ -19,6 +19,8 @@
{preference name=feature_htmlpurifier_output}
{preference name=menus_item_names_raw}
{preference name=session_protected}
{tr}Please also see:{/tr} <a href="tiki-admin.php?page=login">{tr}HTTPS (SSL) and other login preferences{/tr}</a>
<fieldset>
......
......@@ -45,6 +45,7 @@ $needed_prefs = array(
'session_storage' => 'default',
'session_silent' => 'n',
'session_cookie_name' => session_name(),
'session_protected' => 'n',
'tiki_cdn' => '',
'tiki_cdn_ssl' => '',
'language' => 'en',
......@@ -66,6 +67,11 @@ if (!isset($prefs['lastUpdatePrefs']) || $prefs['lastUpdatePrefs'] == - 1) {
$tikilib->query('insert into `tiki_preferences`(`name`,`value`) values(?,?)', array('lastUpdatePrefs', 1));
}
if ($prefs['session_protected'] == 'y' && ! isset($_SERVER['HTTPS'])) {
header("Location: https://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}");
exit;
}
global $cachelib;
require_once ('lib/cache/cachelib.php');
global $logslib;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment