Rev 928 | Rev 978 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 928 | Rev 974 | ||
---|---|---|---|
Line 1402... | Line 1402... | ||
1402 | } |
1402 | } |
1403 | 1403 | ||
1404 | return ($cachedVersion = false); // version ambigous or unknown |
1404 | return ($cachedVersion = false); // version ambigous or unknown |
1405 | } |
1405 | } |
1406 | 1406 | ||
- | 1407 | const ENFORCE_SSL_NO = 0; |
|
- | 1408 | const ENFORCE_SSL_YES = 1; |
|
- | 1409 | const ENFORCE_SSL_AUTO = 2; |
|
1407 | private static $sslAvailableCache = null; |
1410 | private static $sslAvailableCache = null; |
1408 | public static function isSslAvailable() { |
1411 | public static function isSslAvailable() { |
1409 | if (!is_null(self::$sslAvailableCache)) return self::$sslAvailableCache; |
1412 | if (!is_null(self::$sslAvailableCache)) return self::$sslAvailableCache; |
1410 | 1413 | ||
1411 | if (PHP_SAPI == 'cli') { |
1414 | if (PHP_SAPI == 'cli') { |
Line 1415... | Line 1418... | ||
1415 | 1418 | ||
1416 | $timeout = 2; |
1419 | $timeout = 2; |
1417 | $already_ssl = self::isSSL(); |
1420 | $already_ssl = self::isSSL(); |
1418 | $ssl_port = 443; |
1421 | $ssl_port = 443; |
1419 | 1422 | ||
1420 | // TODO: Instead of 0, 1, 2, maybe make OIDplus:: constants |
- | |
1421 | $mode = OIDplus::baseConfig()->getValue('ENFORCE_SSL', 2/*auto*/); |
- | |
1422 | - | ||
1423 | if ($mode == 0) { |
- | |
1424 | // No SSL available |
- | |
1425 | self::$sslAvailableCache = $already_ssl; |
- | |
1426 | return $already_ssl; |
- | |
1427 | } |
- | |
1428 | - | ||
1429 | if ($mode == 1) { |
- | |
1430 | // Force SSL |
- | |
1431 | if ($already_ssl) { |
1423 | if ($already_ssl) { |
- | 1424 | OIDplus::cookieUtils()->setcookie('SSL_CHECK', '1', 0, false, null, true/*forceInsecure*/); |
|
1432 | self::$sslAvailableCache = true; |
1425 | self::$sslAvailableCache = true; |
1433 | return true; |
1426 | return true; |
1434 | } else { |
1427 | } else { |
- | 1428 | if (isset($_COOKIE['SSL_CHECK']) && ($_COOKIE['SSL_CHECK'] == '1')) { |
|
- | 1429 | // The cookie "SSL_CHECK" is set once a website was loaded with HTTPS. |
|
- | 1430 | // It forces subsequent HTTP calls to redirect to HTTPS (like HSTS). |
|
- | 1431 | // The reason is the following problem: |
|
- | 1432 | // If you open the page with HTTPS first, then the CSRF token cookies will get the "secure" flag |
|
- | 1433 | // If you open the page then with HTTP, the HTTP cannot access the secure CSRF cookies, |
|
- | 1434 | // Chrome will then block "Set-Cookie" since the HTTP cookie would overwrite the HTTPS cookie. |
|
- | 1435 | // Note: SSL_CHECK is NOT a replacement for HSTS! You should use HSTS, |
|
- | 1436 | // because on there your browser ensures that HTTPS is called, before the server |
|
- | 1437 | // is even contacted (and therefore, no HTTP connection can be hacked). |
|
- | 1438 | $mode = OIDplus::ENFORCE_SSL_YES; |
|
- | 1439 | } else { |
|
- | 1440 | $mode = OIDplus::baseConfig()->getValue('ENFORCE_SSL', OIDplus::ENFORCE_SSL_AUTO); |
|
- | 1441 | } |
|
- | 1442 | ||
- | 1443 | if ($mode == OIDplus::ENFORCE_SSL_NO) { |
|
- | 1444 | // No SSL available |
|
- | 1445 | self::$sslAvailableCache = false; |
|
- | 1446 | return false; |
|
- | 1447 | } else if ($mode == OIDplus::ENFORCE_SSL_YES) { |
|
- | 1448 | // Force SSL |
|
1435 | $location = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; |
1449 | $location = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; |
1436 | header('Location:'.$location); |
1450 | header('Location:'.$location); |
1437 | die(_L('Redirecting to HTTPS...')); |
1451 | die(_L('Redirecting to HTTPS...')); |
1438 | #self::$sslAvailableCache = true; |
- | |
1439 | #return true; |
- | |
1440 | } |
- | |
1441 | } |
- | |
1442 | - | ||
1443 | if ($mode == 2) { |
1452 | } else if ($mode == OIDplus::ENFORCE_SSL_AUTO) { |
1444 | // Automatic SSL detection |
1453 | // Automatic SSL detection |
1445 | - | ||
1446 | if ($already_ssl) { |
- | |
1447 | // we are already on HTTPS |
- | |
1448 | OIDplus::cookieUtils()->setcookie('SSL_CHECK', '1', 0, false); |
- | |
1449 | self::$sslAvailableCache = true; |
- | |
1450 | return true; |
- | |
1451 | } else { |
- | |
1452 | if (isset($_COOKIE['SSL_CHECK'])) { |
1454 | if (isset($_COOKIE['SSL_CHECK'])) { |
1453 | // We already had the HTTPS detection done before. |
1455 | // We already had the HTTPS detection done before. |
1454 | if ($_COOKIE['SSL_CHECK']) { |
1456 | if ($_COOKIE['SSL_CHECK'] == '1') { |
1455 | // HTTPS was detected before, but we are HTTP. Redirect now |
1457 | // HTTPS was detected before, but we are HTTP. Redirect now |
1456 | $location = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; |
1458 | $location = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; |
1457 | header('Location:'.$location); |
1459 | header('Location:'.$location); |
1458 | die(_L('Redirecting to HTTPS...')); |
1460 | die(_L('Redirecting to HTTPS...')); |
1459 | #self::$sslAvailableCache = true; |
- | |
1460 | #return true; |
- | |
1461 | } else { |
1461 | } else { |
1462 | // No HTTPS available. Do nothing. |
1462 | // No HTTPS available. Do nothing. |
1463 | self::$sslAvailableCache = false; |
1463 | self::$sslAvailableCache = false; |
1464 | return false; |
1464 | return false; |
1465 | } |
1465 | } |
Line 1467... | Line 1467... | ||
1467 | // This is our first check (or the browser didn't accept the SSL_CHECK cookie) |
1467 | // This is our first check (or the browser didn't accept the SSL_CHECK cookie) |
1468 | $errno = -1; |
1468 | $errno = -1; |
1469 | $errstr = ''; |
1469 | $errstr = ''; |
1470 | if (@fsockopen($_SERVER['HTTP_HOST'], $ssl_port, $errno, $errstr, $timeout)) { |
1470 | if (@fsockopen($_SERVER['HTTP_HOST'], $ssl_port, $errno, $errstr, $timeout)) { |
1471 | // HTTPS detected. Redirect now, and remember that we had detected HTTPS |
1471 | // HTTPS detected. Redirect now, and remember that we had detected HTTPS |
1472 | OIDplus::cookieUtils()->setcookie('SSL_CHECK', '1', 0, false); |
1472 | OIDplus::cookieUtils()->setcookie('SSL_CHECK', '1', 0, false, null, true/*forceInsecure*/); |
1473 | $location = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; |
1473 | $location = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; |
1474 | header('Location:'.$location); |
1474 | header('Location:'.$location); |
1475 | die(_L('Redirecting to HTTPS...')); |
1475 | die(_L('Redirecting to HTTPS...')); |
1476 | #self::$sslAvailableCache = true; |
- | |
1477 | #return true; |
- | |
1478 | } else { |
1476 | } else { |
1479 | // No HTTPS detected. Do nothing, and next time, don't try to detect HTTPS again. |
1477 | // No HTTPS detected. Do nothing, and next time, don't try to detect HTTPS again. |
1480 | OIDplus::cookieUtils()->setcookie('SSL_CHECK', '0', 0, false); |
1478 | OIDplus::cookieUtils()->setcookie('SSL_CHECK', '0', 0, false, null, true/*forceInsecure*/); |
1481 | self::$sslAvailableCache = false; |
1479 | self::$sslAvailableCache = false; |
1482 | return false; |
1480 | return false; |
1483 | } |
1481 | } |
1484 | } |
1482 | } |
1485 | } |
1483 | } |