fix: added recommendation to enable SSL/TLS

If SSL/TLS is not enabled, the sensitive cookie information is unencrypted.
thorsten · Oct 26, 2021 · 2e5dca9 · 2e5dca9
1 parent 89248df
commit 2e5dca9
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 5 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,10 +1,13 @@
-phpMyFAQ 3.0.9
+phpMyFAQ 3.0.10
 Codename "Phobos"
 
 CHANGELOG
 
 This is a log of major user-visible changes in each phpMyFAQ release.
 
+Version 3.0.10 - 2021-
+- fixed many minor bugs (Thorsten)
+
 Version 3.0.9 - 2021-04-17
 - fixed minor bugs (Thorsten)
 

diff --git a/phpmyfaq/lang/language_de.php b/phpmyfaq/lang/language_de.php
@@ -1088,7 +1088,7 @@
 
 // added 2.7.1 - 2011-09-30 by Thorsten
 $PMF_LANG['msg_about_faq'] = 'Über diese FAQ';
-$LANG_CONF['security.useSslOnly'] = [0 => 'checkbox', 1 => 'FAQ nur mit SSL/TLS nutzen '];
+$LANG_CONF['security.useSslOnly'] = [0 => 'checkbox', 1 => 'FAQ nur mit SSL/TLS nutzen (Empfohlen)'];
 $PMF_LANG['msgTableOfContent'] = 'Inhaltsverzeichnis';
 
 // added 2.7.5 - 2012-03-02 by Thorsten

diff --git a/phpmyfaq/lang/language_en.php b/phpmyfaq/lang/language_en.php
@@ -1087,7 +1087,7 @@
 
 // added 2.7.1 - 2011-09-30 by Thorsten
 $PMF_LANG['msg_about_faq'] = 'About this FAQ';
-$LANG_CONF['security.useSslOnly'] = [0 => 'checkbox', 1 => 'FAQ with SSL only'];
+$LANG_CONF['security.useSslOnly'] = [0 => 'checkbox', 1 => 'FAQ with SSL only (Recommended)'];
 $PMF_LANG['msgTableOfContent'] = 'Table of Content';
 
 // added 2.7.5 - 2012-03-02 by Thorsten

diff --git a/phpmyfaq/src/phpMyFAQ/Session.php b/phpmyfaq/src/phpMyFAQ/Session.php
@@ -304,7 +304,7 @@ public function setCookie(string $name, $sessionId = '', int $timeout = PMF_SESS
                 $_SERVER['REQUEST_TIME'] + $timeout,
                 dirname($_SERVER['SCRIPT_NAME']) . '; samesite=strict',
                 parse_url($this->config->getDefaultUrl(), PHP_URL_HOST),
-                'https' === $protocol,
+                'https' === $protocol, // only secure running via HTTPS
                 true
             );
         } else {
@@ -316,7 +316,7 @@ public function setCookie(string $name, $sessionId = '', int $timeout = PMF_SESS
                     'path' => dirname($_SERVER['SCRIPT_NAME']),
                     'domain' => parse_url($this->config->getDefaultUrl(), PHP_URL_HOST),
                     'samesite' => 'strict',
-                    'secure' => 'https' === $protocol,
+                    'secure' => 'https' === $protocol, // only secure running via HTTPS
                     'httponly' => true,
                 ]
             );