From e6e13284f9653e8e46c78a731ba0caebf81b11b9 Mon Sep 17 00:00:00 2001 From: jonathanharker Date: Sun, 14 Dec 2008 22:28:39 +0000 Subject: [PATCH] MDL-16875 New Moodle setting - sessioncookiedomain Added new sessioncookiedomain setting to session handling section. * allows you to change the domain that the Moodle cookies are available from. This is useful for Moodle customisations (i.e. Squirrelmail SSO or enrolment plugins) that need to share Moodle session information with a web application on another subdomain. * Will NOT work if the moodle host does not have a domain - i.e. just a hostname, e.g. 'localhost' or 'myhostname'. Needs a FQDN * Currently the setting is set to PARAM_TEXT length 50 since PARAM_HOST does not allow a leading dot e.g. '.mydomain.com' * TODO: do we make up a new PARAM_COOKIEDOMAIN which is the same as PARAM_HOST but allows leading dots? Using PARAM_HOST and prepending a dot may not always be desirable. --- admin/settings/server.php | 1 + lang/en_utf8/admin.php | 2 ++ lib/sessionlib.php | 19 +++++++++++-------- 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/admin/settings/server.php b/admin/settings/server.php index 1041ae5374..13b3e94625 100644 --- a/admin/settings/server.php +++ b/admin/settings/server.php @@ -89,6 +89,7 @@ $temp->add(new admin_setting_configselect('sessiontimeout', get_string('sessiont 300 => get_string('numminutes', '', 5)))); $temp->add(new admin_setting_configtext('sessioncookie', get_string('sessioncookie', 'admin'), get_string('configsessioncookie', 'admin'), '', PARAM_ALPHANUM)); $temp->add(new admin_setting_configtext('sessioncookiepath', get_string('sessioncookiepath', 'admin'), get_string('configsessioncookiepath', 'admin'), '/', PARAM_LOCALURL)); +$temp->add(new admin_setting_configtext('sessioncookiedomain', get_string('sessioncookiedomain', 'admin'), get_string('configsessioncookiedomain', 'admin'), '', PARAM_TEXT, 50)); $ADMIN->add('server', $temp, 50); diff --git a/lang/en_utf8/admin.php b/lang/en_utf8/admin.php index 51422a6d01..b690dd1cf5 100644 --- a/lang/en_utf8/admin.php +++ b/lang/en_utf8/admin.php @@ -229,6 +229,7 @@ $string['configsectionuser'] = 'User'; $string['configsecureforms'] = 'Moodle can use an additional level of security when accepting data from web forms. If this is enabled, then the browser\'s HTTP_REFERER variable is checked against the current form address. In a very few cases this can cause problems if the user is using a firewall (eg Zonealarm) configured to strip HTTP_REFERER from their web traffic. Symptoms are getting \'stuck\' on a form. If your users are having problems with the login page (for example) you might want to disable this setting, although it might leave your site more open to brute-force password attacks. If in doubt, leave this set to \'Yes\'.'; $string['configsendcoursewelcomemessage'] = 'If enabled, users receive a welcome message via email when they self-enrol in a course.'; $string['configsessioncookie'] = 'This setting customises the name of the cookie used for Moodle sessions. This is optional, and only useful to avoid cookies being confused when there is more than one copy of Moodle running within the same web site.'; +$string['configsessioncookiedomain'] = 'This allows you to change the domain that the Moodle cookies are available from. This is useful for Moodle customisations (e.g. authentication or enrolment plugins) that need to share Moodle session information with a web application on another subdomain. WARNING: it is strongly recommended to leave this setting at the default (empty) - an incorrect value will prevent all logins to the site.'; $string['configsessioncookiepath'] = 'If you need to change where browsers send the Moodle cookies, you can change this setting to specify a subdirectory of your web site. Otherwise the default \'/\' should be fine.'; $string['configsessiontimeout'] = 'If people logged in to this site are idle for a long time (without loading pages) then they are automatically logged out (their session is ended). This variable specifies how long this time should be.'; $string['configshowblocksonmodpages'] = 'Some activity modules support blocks on their pages. If you turn this on, then teachers will be able to add side blocks on those pages, otherwise the interface does not show this feature.'; @@ -697,6 +698,7 @@ $string['server'] = 'Server'; $string['serverchecks'] = 'Server Checks'; $string['serverlimit'] = 'Server Limit'; $string['sessioncookie'] = 'Cookie prefix'; +$string['sessioncookiedomain'] = 'Cookie domain'; $string['sessioncookiepath'] = 'Cookie path'; $string['sessionhandling'] = 'Session Handling'; $string['sessiontimeout'] = 'Timeout'; diff --git a/lib/sessionlib.php b/lib/sessionlib.php index 887a33912e..8e34ef5420 100644 --- a/lib/sessionlib.php +++ b/lib/sessionlib.php @@ -18,7 +18,7 @@ class moodle_session { if (!NO_MOODLE_COOKIES) { session_name('MoodleSession'.$CFG->sessioncookie); - session_set_cookie_params(0, $CFG->sessioncookiepath, '', $CFG->cookiesecure, $CFG->cookiehttponly); + session_set_cookie_params(0, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $CFG->cookiesecure, $CFG->cookiehttponly); @session_start(); if (!isset($_SESSION['SESSION'])) { $_SESSION['SESSION'] = new object(); @@ -26,7 +26,7 @@ class moodle_session { if (!empty($_COOKIE['MoodleSessionTest'.$CFG->sessioncookie])) { $_SESSION['SESSION']->has_timed_out = true; } - setcookie('MoodleSessionTest'.$CFG->sessioncookie, $_SESSION['SESSION']->session_test, 0, $CFG->sessioncookiepath, '', $CFG->cookiesecure, $CFG->cookiehttponly); + setcookie('MoodleSessionTest'.$CFG->sessioncookie, $_SESSION['SESSION']->session_test, 0, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $CFG->cookiesecure, $CFG->cookiehttponly); $_COOKIE['MoodleSessionTest'.$CFG->sessioncookie] = $_SESSION['SESSION']->session_test; } if (!isset($_SESSION['USER'])) { @@ -80,8 +80,8 @@ class moodle_session { moodle_setlocale(); //clear session cookies - setcookie('MoodleSession'.$CFG->sessioncookie, '', time() - 3600, $CFG->sessioncookiepath, '', $CFG->cookiesecure, $CFG->cookiehttponly); - setcookie('MoodleSessionTest'.$CFG->sessioncookie, '', time() - 3600, $CFG->sessioncookiepath, '', $CFG->cookiesecure, $CFG->cookiehttponly); + setcookie('MoodleSession'.$CFG->sessioncookie, '', time() - 3600, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $CFG->cookiesecure, $CFG->cookiehttponly); + setcookie('MoodleSessionTest'.$CFG->sessioncookie, '', time() - 3600, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $CFG->cookiesecure, $CFG->cookiehttponly); //increment database error counters if (isset($CFG->session_error_counter)) { @@ -105,7 +105,7 @@ class moodle_session { error_log('MoodleSessionTest cookie could not be set in moodlelib.php:'.__LINE__); error_log('Headers were already sent in file: '.$file.' on line '.$line); } else { - setcookie('MoodleSessionTest'.$CFG->sessioncookie, '', time() - 3600, $CFG->sessioncookiepath, '', $CFG->cookiesecure, $CFG->cookiehttponly); + setcookie('MoodleSessionTest'.$CFG->sessioncookie, '', time() - 3600, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $CFG->cookiesecure, $CFG->cookiehttponly); } $this->session = new object(); @@ -181,6 +181,9 @@ class moodle_session { if (!isset($CFG->sessioncookie)) { $CFG->sessioncookie = ''; } + if (!isset($CFG->sessioncookiedomain)) { + $CFG->sessioncookiedomain = ''; + } if (!isset($CFG->sessioncookiepath)) { $CFG->sessioncookiepath = '/'; } @@ -253,8 +256,8 @@ class moodle_session { $seconds = DAYSECS*$days; // no need to set secure or http cookie only here - it is not secret - setCookie($cookiename, '', time() - HOURSECS, $CFG->sessioncookiepath); - setCookie($cookiename, rc4encrypt($thing), time()+$seconds, $CFG->sessioncookiepath); + setcookie($cookiename, '', time() - HOURSECS, $CFG->sessioncookiepath, $CFG->sessioncookiedomain); + setcookie($cookiename, rc4encrypt($thing), time()+$seconds, $CFG->sessioncookiepath, $CFG->sessioncookiedomain); } /** @@ -412,4 +415,4 @@ class moodle_session { ob_start(array('moodle_session', 'sid_ob_rewrite')); } } -} \ No newline at end of file +} -- 2.39.5