Commit c9b8ff02 authored by Aaron Wells's avatar Aaron Wells Committed by Robert Lyon

Remove session.referer_check (Bug 1566366)

This setting kills your Mahara session whenever you navigate
to Mahara from a link or redirect on another page. This totally
prevents SAML and other redirect-based auth methods from working,
makes it annoying to use links in email, and while it is mentioned
on the PHP manual's "Securing Sessions" page, it's only
recommended there if you also have "session.use_trans_id" enabled,
which we do not.

Change-Id: I8b3b14bae8043c5004cc8f36766f2db9422eac1c
behatnotneeded: Can't be tested by behat
(cherry picked from commit 91807920)
parent 2662681e
......@@ -35,7 +35,6 @@ if (get_config('session_timeout')) {
ini_set('session.gc_maxlifetime', min(get_config('session_timeout'), 60 * 60 * 24 * 30));
}
ini_set('session.use_trans_sid', false);
ini_set('session.referer_check', get_config('wwwroot'));
ini_set('session.hash_function', 'sha256'); // stronger hash functions are sha384 and sha512
if (version_compare(PHP_VERSION, '5.5.2') > 0) {
ini_set('session.use_strict_mode', true);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment