Merge pull request #258 from wrongecho/cookies

Secure Cookies

check_login.php

@@ -1,7 +1,13 @@
 <?php
 	
 	if(!isset($_SESSION)){
-    session_start();
+        // HTTP Only cookies
+        ini_set("session.cookie_httponly", True);
+        if($config_https_only){
+            // Tell client to only send cookie(s) over HTTPS
+            ini_set("session.cookie_secure", True);
+        }
+        session_start();
 	}
 
 	//Check to see if setup is enabled

login.php

@@ -19,6 +19,11 @@ $user_agent = "$os - $browser";
 // HTTP Only cookies
 ini_set("session.cookie_httponly", True);
 
+// Tell client to only send cookie(s) over HTTPS
+if($config_https_only){
+    ini_set("session.cookie_secure", True);
+}
+
 session_start();
 
 if(isset($_POST['login'])){

setup.php

@@ -351,6 +351,7 @@ if(isset($_POST['add_database'])){
   $new_config[] = "\$mysqli = mysqli_connect(\$dbhost, \$dbusername, \$dbpassword, \$database) or die('Database Connection Failed');\n";
   $new_config[] = "\$config_app_name = 'ITFlow';\n";
   $new_config[] = sprintf("\$config_base_url = '%s';\n", addslashes($config_base_url));
+  $new_config[] = "\$config_https_only = TRUE;\n";
 
   file_put_contents("config.php", $new_config);