900 => get_string('numminutes', '', 15),
300 => get_string('numminutes', '', 5))));
$temp->add(new admin_setting_configtext('sessioncookie', get_string('sessioncookie', 'admin'), get_string('configsessioncookie', 'admin'), '', PARAM_ALPHANUM));
-$temp->add(new admin_setting_configtext('sessioncookiepath', get_string('sessioncookiepath', 'admin'), get_string('configsessioncookiepath', 'admin'), '/', PARAM_LOCALURL));
-$temp->add(new admin_setting_configtext('sessioncookiedomain', get_string('sessioncookiedomain', 'admin'), get_string('configsessioncookiedomain', 'admin'), '', PARAM_TEXT, 50));
+$temp->add(new admin_setting_configtext('sessioncookiepath', get_string('sessioncookiepath', 'admin'), get_string('configsessioncookiepath', 'admin'), '', PARAM_RAW));
+$temp->add(new admin_setting_configtext('sessioncookiedomain', get_string('sessioncookiedomain', 'admin'), get_string('configsessioncookiedomain', 'admin'), '', PARAM_RAW, 50));
$ADMIN->add('server', $temp);
if (!isset($CFG->sessioncookie)) {
$CFG->sessioncookie = '';
}
+
+ // make sure cookie domain makes sense for this wwwroot
if (!isset($CFG->sessioncookiedomain)) {
$CFG->sessioncookiedomain = '';
+ } else if ($CFG->sessioncookiedomain !== '') {
+ $host = parse_url($CFG->wwwroot, PHP_URL_HOST);
+ if ($CFG->sessioncookiedomain !== $host) {
+ if (substr($CFG->sessioncookiedomain, 0, 1) === '.') {
+ if (!preg_match('|^.*'.preg_quote($CFG->sessioncookiedomain, '|').'$|', $host)) {
+ // invalid domain - it must be end part of host
+ $CFG->sessioncookiedomain = '';
+ }
+ } else {
+ if (!preg_match('|^.*\.'.preg_quote($CFG->sessioncookiedomain, '|').'$|', $host)) {
+ // invalid domain - it must be end part of host
+ $CFG->sessioncookiedomain = '';
+ }
+ }
+ }
}
+
+ // make sure the cookiepath is valid for this wwwroot or autodetect if not specified
if (!isset($CFG->sessioncookiepath)) {
- $CFG->sessioncookiepath = '/';
+ $CFG->sessioncookiepath = '';
+ }
+ if ($CFG->sessioncookiepath !== '/') {
+ $path = parse_url($CFG->wwwroot, PHP_URL_PATH).'/';
+ if ($CFG->sessioncookiepath === '') {
+ $CFG->sessioncookiepath = $path;
+ } else {
+ if (strpos($path, $CFG->sessioncookiepath) !== 0 or substr($CFG->sessioncookiepath, -1) !== '/') {
+ $CFG->sessioncookiepath = $path;
+ }
+ }
}
//discard session ID from POST, GET and globals to tighten security,