Skip to content

GitLab

Switch branch/tag
  1. 01 May, 2016 2 commits
  3. 29 Apr, 2016 1 commit
  5. 28 Apr, 2016 5 commits
  7. 26 Apr, 2016 1 commit
  9. 23 Apr, 2016 1 commit
  11. 22 Apr, 2016 1 commit
  13. 21 Apr, 2016 5 commits
  15. 20 Apr, 2016 2 commits
    • Aaron Wells's avatar
      Correcting typoes in cookie-issuing code · 0184cbf6
      Aaron Wells authored and Robert Lyon's avatar Robert Lyon committed 
      Bug 1570744: Accidentally used set_cookie() instead of
setcookie(). This makes the cookie break if you use
the $cfg->cookieprefix setting.

behatnotneeded: Covered by existing tests

Change-Id: Idec3676222e3ff4eb22f7925de6bec10cfa35755
      0184cbf6
    • Aaron Wells's avatar
      Bug 1570744: Fixing session bugs · 6d469bd6
      Aaron Wells authored and Robert Lyon's avatar Robert Lyon committed 
      This patch does 2 things:

1. It loads the session much earlier during init.php. We wind
up creating one on *every* script load anyway, due to LiveUser's
constructor. Sometimes it gets created earlier if other code
tries to use it before then, which adds some unpredictability
to things. Moving it up to the top of init.php reduces that
unpredictability.

2. It turns out that in PHP 5.3, using header_remove('Set-Cookie')
to only doesn't remove session headers. But header_remove()
(with no params) to remove *all* cookies does remove them. So
I'm changing remove_duplicate_cookies() to use that instead.

3. Also in PHP 5.3, session headers are visible in headers_list().
In situations where your session id changes (due to session_destroy()
and session_regenerate_id()), our use of array_unique() meant we
would preserve the old and new session IDs and send both back
to the browser. This patch makes remove_duplicate_cookies() aware
of the current session ID, and it only preserves that one.

Change-Id: I7a90b8692a5f97429415aa9a17451a44cd2109dd
behatnotneeded: Covered by existing tests
(cherry picked from commit 83ec33f2)
      6d469bd6
  17. 19 Apr, 2016 2 commits
  19. 15 Apr, 2016 2 commits
  21. 13 Apr, 2016 1 commit
    • Aaron Wells's avatar
      Remove session.referer_check (Bug 1566366) · c9b8ff02
      Aaron Wells authored and Robert Lyon's avatar Robert Lyon committed 
      This setting kills your Mahara session whenever you navigate
to Mahara from a link or redirect on another page. This totally
prevents SAML and other redirect-based auth methods from working,
makes it annoying to use links in email, and while it is mentioned
on the PHP manual's "Securing Sessions" page, it's only
recommended there if you also have "session.use_trans_id" enabled,
which we do not.

Change-Id: I8b3b14bae8043c5004cc8f36766f2db9422eac1c
behatnotneeded: Can't be tested by behat
(cherry picked from commit 91807920)
      c9b8ff02
  23. 11 Apr, 2016 3 commits
  25. 07 Apr, 2016 1 commit
  27. 05 Apr, 2016 1 commit
  29. 31 Mar, 2016 2 commits
  31. 30 Mar, 2016 2 commits
  33. 28 Mar, 2016 1 commit
  35. 23 Mar, 2016 7 commits