[ic] Make MV_PASSWORD secure if set on secure page
Josh Lavin
josh at perusion.net
Thu Jul 12 18:35:51 UTC 2012
https://github.com/jlavin/interchange/commit/0b840ab8913af5aa57ced27ab963a557ddb2f7d6
--- a/lib/Vend/UserDB.pm
+++ b/lib/Vend/UserDB.pm
@@ -1572,7 +1572,7 @@ sub login {
);
}
- username_cookies($self->{PASSED_USERNAME} ||
$self->{USERNAME}, $pw)
+ username_cookies($self->{PASSED_USERNAME} ||
$self->{USERNAME}, $pw, $self->{OPTIONS}{secure_cookies})
if $Vend::Cfg->{CookieLogin};
if ($self->{LOCATION}{LAST} ne 'none') {
@@ -1998,7 +1998,7 @@ sub new_account {
else {
$self->set_values() unless
$self->{OPTIONS}{no_set};
$self->{USERNAME} = $foreign if $foreign;
- username_cookies($self->{USERNAME}, $pw)
+ username_cookies($self->{USERNAME}, $pw,
$self->{OPTIONS}{secure_cookies})
if $Vend::Cfg->{CookieLogin};
$self->log('new account') if $options{'log'};
@@ -2026,7 +2026,7 @@ sub new_account {
}
sub username_cookies {
- my ($user, $pw) = @_;
+ my ($user, $pw, $secure) = @_;
return unless
$CGI::values{mv_cookie_password}
or
$CGI::values{mv_cookie_username}
or
@@ -2034,13 +2034,14 @@ sub username_cookies {
Vend::Util::read_cookie('MV_USERNAME');
$::Instance->{Cookies} = [] unless defined
$::Instance->{Cookies};
my $exp = time() + $Vend::Cfg->{SaveExpire};
+ $secure ||= $CGI::secure;
push @{$::Instance->{Cookies}},
['MV_USERNAME', $user, $exp];
return unless
$CGI::values{mv_cookie_password}
or
Vend::Util::read_cookie('MV_PASSWORD');
push @{$::Instance->{Cookies}},
- ['MV_PASSWORD', $pw, $exp];
+ ['MV_PASSWORD', $pw, $exp, undef, undef,
$secure];
return;
}
--
Josh Lavin
Perusion -- Expert Interchange Consulting http://www.perusion.com/
More information about the interchange-users
mailing list