use base_url in config for cookie options

This should fix fossar#756 and give a workaround for other cookie related issues.
niol · Mar 3, 2017 · 89a86e0 · 89a86e0
1 parent 085d386
commit 89a86e0
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 18 deletions.
diff --git a/helpers/Authentication.php b/helpers/Authentication.php
@@ -21,20 +21,15 @@ public function __construct() {
             return;
         }
 
+        $base_url = parse_url(\helpers\View::getBaseUrl());
+
         // session cookie will be valid for one month.
         $cookie_expire = 3600 * 24 * 30;
-        $cookie_secure = isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';
+        $cookie_secure = $base_url['scheme'] == 'https';
         $cookie_httponly = true;
+        $cookie_path = $base_url['path'];
+        $cookie_domain = $base_url['host'];
 
-        // check for SSL proxy and special cookie options
-        if (isset($_SERVER['HTTP_X_FORWARDED_SERVER']) && isset($_SERVER['HTTP_X_FORWARDED_HOST'])
-           && ($_SERVER['HTTP_X_FORWARDED_SERVER'] === $_SERVER['HTTP_X_FORWARDED_HOST'])) {
-            $cookie_path = '/' . $_SERVER['SERVER_NAME'] . preg_replace('/\/[^\/]+$/', '', $_SERVER['PHP_SELF']) . '/';
-            $cookie_domain = $_SERVER['HTTP_X_FORWARDED_SERVER'];
-        } else {
-            $cookie_path = \F3::get('BASE') . '/';
-            $cookie_domain = $_SERVER['SERVER_NAME'];
-        }
         session_set_cookie_params(
             $cookie_expire, $cookie_path, $cookie_domain, $cookie_secure, $cookie_httponly
         );

diff --git a/helpers/View.php b/helpers/View.php
@@ -26,7 +26,7 @@ public function __construct() {
      * config.ini this will be used. Otherwise base url will be generated by
      * globale server variables ($_SERVER).
      */
-    public function getBaseUrl() {
+    public static function getBaseUrl() {
         $base = '';
 
         // base url in config.ini file
@@ -39,16 +39,23 @@ public function getBaseUrl() {
 
         // auto generate base url
         } else {
-            $lastSlash = strrpos($_SERVER['REQUEST_URI'], '/');
-            $subdir = $lastSlash !== false ? substr($_SERVER['REQUEST_URI'], 0, $lastSlash) : '';
-
             $protocol = 'http';
-            if (isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] == 'on' || $_SERVER['HTTPS'] == 1) ||
-               (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https' ||
-               (isset($_SERVER['HTTP_HTTPS'])) && $_SERVER['HTTP_HTTPS'] == 'https') {
+            if ((isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ||
+                (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') ||
+                (isset($_SERVER['HTTP_HTTPS']) && $_SERVER['HTTP_HTTPS'] == 'https')) {
                 $protocol = 'https';
             }
 
+            // check for SSL proxy
+            if (isset($_SERVER['HTTP_X_FORWARDED_SERVER']) && isset($_SERVER['HTTP_X_FORWARDED_HOST'])
+            && ($_SERVER['HTTP_X_FORWARDED_SERVER'] === $_SERVER['HTTP_X_FORWARDED_HOST'])) {
+                $subdir = '/' . preg_replace('/\/[^\/]+$/', '', $_SERVER['PHP_SELF']);
+                $host = $_SERVER['HTTP_X_FORWARDED_SERVER'];
+            } else {
+                $subdir = \F3::get('BASE');
+                $host = $_SERVER['SERVER_NAME'];
+            }
+
             $port = '';
             if (($protocol == 'http' && $_SERVER['SERVER_PORT'] != '80') ||
                 ($protocol == 'https' && $_SERVER['SERVER_PORT'] != '443')) {
@@ -59,7 +66,7 @@ public function getBaseUrl() {
                 $port = ':' . $_SERVER['HTTP_X_FORWARDED_PORT'];
             }
 
-            $base = $protocol . '://' . $_SERVER['SERVER_NAME'] . $port . $subdir . '/';
+            $base = $protocol . '://' . $host . $port . $subdir . '/';
         }
 
         return $base;