diff options
| author | Renato Botelho <garga@FreeBSD.org> | 2014-07-18 14:18:50 -0300 |
|---|---|---|
| committer | Renato Botelho <garga@FreeBSD.org> | 2014-07-18 14:18:50 -0300 |
| commit | dd030de935c500d9c3698969b985fbf068ab6ef8 (patch) | |
| tree | 4c99e61aaf94d0af99fba7ec13e731b9f7ed7570 /etc/inc/auth.inc | |
| parent | 639567b8f0fb7d333d8b46417b96bb906f981f37 (diff) | |
| download | pfsense-dd030de935c500d9c3698969b985fbf068ab6ef8.zip pfsense-dd030de935c500d9c3698969b985fbf068ab6ef8.tar.gz | |
Detect when protocol changes and invalidate session to get a new cookie with secure flag set according. It fixes #3714
Diffstat (limited to 'etc/inc/auth.inc')
| -rw-r--r-- | etc/inc/auth.inc | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 80471fe..fb04580 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -1359,6 +1359,10 @@ function session_auth() { if (!session_id()) session_start(); + // Detect protocol change + if (!isset($_POST['login']) && !empty($_SESSION['Logged_In']) && $_SESSION['protocol'] != $config['system']['webgui']['protocol']) + return false; + /* Validate incoming login request */ if (isset($_POST['login']) && !empty($_POST['usernamefld']) && !empty($_POST['passwordfld'])) { $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); @@ -1369,6 +1373,7 @@ function session_auth() { $_SESSION['Logged_In'] = "True"; $_SESSION['Username'] = $_POST['usernamefld']; $_SESSION['last_access'] = time(); + $_SESSION['protocol'] = $config['system']['webgui']['protocol']; if(! isset($config['system']['webgui']['quietlogin'])) { log_auth(sprintf(gettext("Successful login for user '%1\$s' from: %2\$s"), $_POST['usernamefld'], $_SERVER['REMOTE_ADDR'])); } |
