Rev 928 | Rev 978 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
| Rev 928 | Rev 974 | ||
|---|---|---|---|
| Line 1402... | Line 1402... | ||
| 1402 | } |
1402 | } |
| 1403 | 1403 | ||
| 1404 | return ($cachedVersion = false); // version ambigous or unknown |
1404 | return ($cachedVersion = false); // version ambigous or unknown |
| 1405 | } |
1405 | } |
| 1406 | 1406 | ||
| - | 1407 | const ENFORCE_SSL_NO = 0; |
|
| - | 1408 | const ENFORCE_SSL_YES = 1; |
|
| - | 1409 | const ENFORCE_SSL_AUTO = 2; |
|
| 1407 | private static $sslAvailableCache = null; |
1410 | private static $sslAvailableCache = null; |
| 1408 | public static function isSslAvailable() { |
1411 | public static function isSslAvailable() { |
| 1409 | if (!is_null(self::$sslAvailableCache)) return self::$sslAvailableCache; |
1412 | if (!is_null(self::$sslAvailableCache)) return self::$sslAvailableCache; |
| 1410 | 1413 | ||
| 1411 | if (PHP_SAPI == 'cli') { |
1414 | if (PHP_SAPI == 'cli') { |
| Line 1415... | Line 1418... | ||
| 1415 | 1418 | ||
| 1416 | $timeout = 2; |
1419 | $timeout = 2; |
| 1417 | $already_ssl = self::isSSL(); |
1420 | $already_ssl = self::isSSL(); |
| 1418 | $ssl_port = 443; |
1421 | $ssl_port = 443; |
| 1419 | 1422 | ||
| 1420 | // TODO: Instead of 0, 1, 2, maybe make OIDplus:: constants |
- | |
| 1421 | $mode = OIDplus::baseConfig()->getValue('ENFORCE_SSL', 2/*auto*/); |
- | |
| 1422 | - | ||
| 1423 | if ($mode == 0) { |
- | |
| 1424 | // No SSL available |
- | |
| 1425 | self::$sslAvailableCache = $already_ssl; |
- | |
| 1426 | return $already_ssl; |
- | |
| 1427 | } |
- | |
| 1428 | - | ||
| 1429 | if ($mode == 1) { |
- | |
| 1430 | // Force SSL |
- | |
| 1431 | if ($already_ssl) { |
1423 | if ($already_ssl) { |
| - | 1424 | OIDplus::cookieUtils()->setcookie('SSL_CHECK', '1', 0, false, null, true/*forceInsecure*/); |
|
| 1432 | self::$sslAvailableCache = true; |
1425 | self::$sslAvailableCache = true; |
| 1433 | return true; |
1426 | return true; |
| 1434 | } else { |
1427 | } else { |
| - | 1428 | if (isset($_COOKIE['SSL_CHECK']) && ($_COOKIE['SSL_CHECK'] == '1')) { |
|
| - | 1429 | // The cookie "SSL_CHECK" is set once a website was loaded with HTTPS. |
|
| - | 1430 | // It forces subsequent HTTP calls to redirect to HTTPS (like HSTS). |
|
| - | 1431 | // The reason is the following problem: |
|
| - | 1432 | // If you open the page with HTTPS first, then the CSRF token cookies will get the "secure" flag |
|
| - | 1433 | // If you open the page then with HTTP, the HTTP cannot access the secure CSRF cookies, |
|
| - | 1434 | // Chrome will then block "Set-Cookie" since the HTTP cookie would overwrite the HTTPS cookie. |
|
| - | 1435 | // Note: SSL_CHECK is NOT a replacement for HSTS! You should use HSTS, |
|
| - | 1436 | // because on there your browser ensures that HTTPS is called, before the server |
|
| - | 1437 | // is even contacted (and therefore, no HTTP connection can be hacked). |
|
| - | 1438 | $mode = OIDplus::ENFORCE_SSL_YES; |
|
| - | 1439 | } else { |
|
| - | 1440 | $mode = OIDplus::baseConfig()->getValue('ENFORCE_SSL', OIDplus::ENFORCE_SSL_AUTO); |
|
| - | 1441 | } |
|
| - | 1442 | ||
| - | 1443 | if ($mode == OIDplus::ENFORCE_SSL_NO) { |
|
| - | 1444 | // No SSL available |
|
| - | 1445 | self::$sslAvailableCache = false; |
|
| - | 1446 | return false; |
|
| - | 1447 | } else if ($mode == OIDplus::ENFORCE_SSL_YES) { |
|
| - | 1448 | // Force SSL |
|
| 1435 | $location = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; |
1449 | $location = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; |
| 1436 | header('Location:'.$location); |
1450 | header('Location:'.$location); |
| 1437 | die(_L('Redirecting to HTTPS...')); |
1451 | die(_L('Redirecting to HTTPS...')); |
| 1438 | #self::$sslAvailableCache = true; |
- | |
| 1439 | #return true; |
- | |
| 1440 | } |
- | |
| 1441 | } |
- | |
| 1442 | - | ||
| 1443 | if ($mode == 2) { |
1452 | } else if ($mode == OIDplus::ENFORCE_SSL_AUTO) { |
| 1444 | // Automatic SSL detection |
1453 | // Automatic SSL detection |
| 1445 | - | ||
| 1446 | if ($already_ssl) { |
- | |
| 1447 | // we are already on HTTPS |
- | |
| 1448 | OIDplus::cookieUtils()->setcookie('SSL_CHECK', '1', 0, false); |
- | |
| 1449 | self::$sslAvailableCache = true; |
- | |
| 1450 | return true; |
- | |
| 1451 | } else { |
- | |
| 1452 | if (isset($_COOKIE['SSL_CHECK'])) { |
1454 | if (isset($_COOKIE['SSL_CHECK'])) { |
| 1453 | // We already had the HTTPS detection done before. |
1455 | // We already had the HTTPS detection done before. |
| 1454 | if ($_COOKIE['SSL_CHECK']) { |
1456 | if ($_COOKIE['SSL_CHECK'] == '1') { |
| 1455 | // HTTPS was detected before, but we are HTTP. Redirect now |
1457 | // HTTPS was detected before, but we are HTTP. Redirect now |
| 1456 | $location = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; |
1458 | $location = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; |
| 1457 | header('Location:'.$location); |
1459 | header('Location:'.$location); |
| 1458 | die(_L('Redirecting to HTTPS...')); |
1460 | die(_L('Redirecting to HTTPS...')); |
| 1459 | #self::$sslAvailableCache = true; |
- | |
| 1460 | #return true; |
- | |
| 1461 | } else { |
1461 | } else { |
| 1462 | // No HTTPS available. Do nothing. |
1462 | // No HTTPS available. Do nothing. |
| 1463 | self::$sslAvailableCache = false; |
1463 | self::$sslAvailableCache = false; |
| 1464 | return false; |
1464 | return false; |
| 1465 | } |
1465 | } |
| Line 1467... | Line 1467... | ||
| 1467 | // This is our first check (or the browser didn't accept the SSL_CHECK cookie) |
1467 | // This is our first check (or the browser didn't accept the SSL_CHECK cookie) |
| 1468 | $errno = -1; |
1468 | $errno = -1; |
| 1469 | $errstr = ''; |
1469 | $errstr = ''; |
| 1470 | if (@fsockopen($_SERVER['HTTP_HOST'], $ssl_port, $errno, $errstr, $timeout)) { |
1470 | if (@fsockopen($_SERVER['HTTP_HOST'], $ssl_port, $errno, $errstr, $timeout)) { |
| 1471 | // HTTPS detected. Redirect now, and remember that we had detected HTTPS |
1471 | // HTTPS detected. Redirect now, and remember that we had detected HTTPS |
| 1472 | OIDplus::cookieUtils()->setcookie('SSL_CHECK', '1', 0, false); |
1472 | OIDplus::cookieUtils()->setcookie('SSL_CHECK', '1', 0, false, null, true/*forceInsecure*/); |
| 1473 | $location = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; |
1473 | $location = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; |
| 1474 | header('Location:'.$location); |
1474 | header('Location:'.$location); |
| 1475 | die(_L('Redirecting to HTTPS...')); |
1475 | die(_L('Redirecting to HTTPS...')); |
| 1476 | #self::$sslAvailableCache = true; |
- | |
| 1477 | #return true; |
- | |
| 1478 | } else { |
1476 | } else { |
| 1479 | // No HTTPS detected. Do nothing, and next time, don't try to detect HTTPS again. |
1477 | // No HTTPS detected. Do nothing, and next time, don't try to detect HTTPS again. |
| 1480 | OIDplus::cookieUtils()->setcookie('SSL_CHECK', '0', 0, false); |
1478 | OIDplus::cookieUtils()->setcookie('SSL_CHECK', '0', 0, false, null, true/*forceInsecure*/); |
| 1481 | self::$sslAvailableCache = false; |
1479 | self::$sslAvailableCache = false; |
| 1482 | return false; |
1480 | return false; |
| 1483 | } |
1481 | } |
| 1484 | } |
1482 | } |
| 1485 | } |
1483 | } |