Loading...
 
Skip to main content

`session_protected` feature is broken if HTTPS termination happens outside of PHP's reach

Status
Open
Subject
`session_protected` feature is broken if HTTPS termination happens outside of PHP's reach
Version
18.x
Category
  • Bug
Resolution status
New
Submitted by
Jan Chren
Lastmod by
Jan Chren
Rating
(0)
Description

In `tiki-setup_base.php` file there is a broken piece of code that looks like this:

Copy to clipboard
<?php $noSSLActive = ! isset($_SERVER['HTTPS']) || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'off'); if (isset($prefs['session_protected']) && $prefs['session_protected'] == 'y' && $noSSLActive && php_sapi_name() != 'cli') { header("Location: https://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}"); exit; }


which results in infinite loops if 'session_protected' is set to 'y' and `HTTPS` variable is not set. Also this piece of code doesn't handle different base urls, ports, ...

Importance
3
Easy to solve?
3
Priority
9
Demonstrate Bug on Tiki 19+
Demonstrate Bug (older Tiki versions)
Ticket ID
6583
Created
Wednesday 28 February, 2018 21:01:57 UTC
by Jan Chren
LastModif
Wednesday 28 February, 2018 21:01:57 UTC


Show PHP error messages