| 1522,9 → 1522,12 |
|---|
| $timeout = 2; |
| $already_ssl = self::isSSL(); |
| $ssl_port = 443; |
| $host_with_port = $_SERVER['HTTP_HOST']; |
| $host_no_port = explode(':',$host_with_port)[0]; |
| $host_ssl = $host_no_port . ($ssl_port != 443 ? ':'.$ssl_port : ''); |
| |
| if ($already_ssl) { |
| OIDplus::cookieUtils()->setcookie('SSL_CHECK', '1', 0, false, null, true/*forceInsecure*/); |
| OIDplus::cookieUtils()->setcookie('SSL_CHECK', '1', 0, true/*allowJS*/, null/*samesite*/, true/*forceInsecure*/); |
| self::$sslAvailableCache = true; |
| return true; |
| } else { |
| 1535,6 → 1538,7 |
|---|
| // If you open the page with HTTPS first, then the CSRF token cookies will get the "secure" flag |
| // If you open the page then with HTTP, the HTTP cannot access the secure CSRF cookies, |
| // Chrome will then block "Set-Cookie" since the HTTP cookie would overwrite the HTTPS cookie. |
| // So we MUST redirect, even if the Mode is ENFORCE_SSL_NO. |
| // Note: SSL_CHECK is NOT a replacement for HSTS! You should use HSTS, |
| // because on there your browser ensures that HTTPS is called, before the server |
| // is even contacted (and therefore, no HTTP connection can be hacked). |
| 1549,7 → 1553,7 |
|---|
| return false; |
| } else if ($mode == OIDplus::ENFORCE_SSL_YES) { |
| // Force SSL |
| $location = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; |
| $location = 'https://' . $host_ssl . $_SERVER['REQUEST_URI']; |
| header('Location:'.$location); |
| die(_L('Redirecting to HTTPS...')); |
| } else if ($mode == OIDplus::ENFORCE_SSL_AUTO) { |
| 1558,7 → 1562,7 |
|---|
| // We already had the HTTPS detection done before. |
| if ($_COOKIE['SSL_CHECK'] == '1') { |
| // HTTPS was detected before, but we are HTTP. Redirect now |
| $location = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; |
| $location = 'https://' . $host_ssl . $_SERVER['REQUEST_URI']; |
| header('Location:'.$location); |
| die(_L('Redirecting to HTTPS...')); |
| } else { |
| 1570,15 → 1574,15 |
|---|
| // This is our first check (or the browser didn't accept the SSL_CHECK cookie) |
| $errno = -1; |
| $errstr = ''; |
| if (@fsockopen($_SERVER['HTTP_HOST'], $ssl_port, $errno, $errstr, $timeout)) { |
| if (@fsockopen($host_no_port, $ssl_port, $errno, $errstr, $timeout)) { |
| // HTTPS detected. Redirect now, and remember that we had detected HTTPS |
| OIDplus::cookieUtils()->setcookie('SSL_CHECK', '1', 0, false, null, true/*forceInsecure*/); |
| $location = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; |
| OIDplus::cookieUtils()->setcookie('SSL_CHECK', '1', 0, true/*allowJS*/, null/*samesite*/, true/*forceInsecure*/); |
| $location = 'https://' . $host_ssl . $_SERVER['REQUEST_URI']; |
| header('Location:'.$location); |
| die(_L('Redirecting to HTTPS...')); |
| } else { |
| // No HTTPS detected. Do nothing, and next time, don't try to detect HTTPS again. |
| OIDplus::cookieUtils()->setcookie('SSL_CHECK', '0', 0, false, null, true/*forceInsecure*/); |
| OIDplus::cookieUtils()->setcookie('SSL_CHECK', '0', 0, true/*allowJS*/, null/*samesite*/, true/*forceInsecure*/); |
| self::$sslAvailableCache = false; |
| return false; |
| } |