`session_protected` feature is broken if HTTPS termination happens outside of PHP's reach
- Status
- Open
- Subject
- `session_protected` feature is broken if HTTPS termination happens outside of PHP's reach
- Version
- 18.x
- Category
- Bug
- Resolution status
- New
- Submitted by
- Jan Chren
- Lastmod by
- Jan Chren
- Rating
- Description
In `tiki-setup_base.php` file there is a broken piece of code that looks like this:
Copy to clipboard<?php $noSSLActive = ! isset($_SERVER['HTTPS']) || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'off'); if (isset($prefs['session_protected']) && $prefs['session_protected'] == 'y' && $noSSLActive && php_sapi_name() != 'cli') { header("Location: https://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}"); exit; }
which results in infinite loops if 'session_protected' is set to 'y' and `HTTPS` variable is not set. Also this piece of code doesn't handle different base urls, ports, ...- Importance
- 3
- Easy to solve?
- 3
- Priority
- 9
- Demonstrate Bug on Tiki 19+
-
This bug has been demonstrated on show2.tiki.org
Please demonstrate your bug on show2.tiki.org
Show.tiki.org is not configured properlyThe public/private keys configured to connect to show2.tiki.org were not accepted. Please make sure you are using RSA keys. Thanks.
- Demonstrate Bug (older Tiki versions)
-
This bug has been demonstrated on show.tikiwiki.org
Please demonstrate your bug on show.tikiwiki.org
Show.tiki.org is not configured properlyThe public/private keys configured to connect to show.tikiwiki.org were not accepted. Please make sure you are using RSA keys. Thanks.
- Ticket ID
- 6583
- Created
- Wednesday 28 February, 2018 21:01:57 UTC
by Jan Chren - LastModif
- Wednesday 28 February, 2018 21:01:57 UTC