Feature #23340 » 15334.diff
t3lib/config_default.php (working copy) | ||
---|---|---|
'compat_version' => '3.8', // Compatibility version. TYPO3 behavior will try to be compatible with the output from the TYPO3 version set here. It is recommended to change this setting with the Upgrade Wizard.
|
||
'encryptionKey' => '', // This is a "salt" used for various kinds of encryption, CRC checksums and validations. You can enter any rubbish string here but try to keep it secret. You should notice that a change to this value might invalidate temporary information, URLs etc. At least, clear all cache if you change this so any such information can be rebuild with the new key.
|
||
'cookieDomain' => '', // When setting the value to ".example.com" (replace example.com with your domain!), login sessions will be shared across subdomains. Alternatively, if you have more than one domain with sub-domains, you can set the value to a regular expression to match against the domain of the HTTP request. The result of the match is used as the domain for the cookie. eg. /\.(example1|example2)\.com$/ or /\.(example1\.com)|(example2\.net)$/
|
||
'cookieDomainBE' => '', // Same as cookieDomain, but for Backend cookies. If empty, cookieDomain value will be used.
|
||
'cookieSecure' => 0, // Integer (0, 1, 2): Indicates that the cookie should only be transmitted over a secure HTTPS connection from the client. If set to 1 (force HTTPS), the cookie will only be set if a secure (HTTPS) connection exists - use this in combination with lockSSL since otherwise the application will fail and throw an exception! If set to 2, the cookie will be set in each case, but uses the secure flag if a secure (HTTPS) connection exists.
|
||
'cookieHttpOnly' => FALSE, // Boolean: When enabled the cookie will be made accessible only through the HTTP protocol. This means that the cookie won't be accessible by scripting languages, such as JavaScript. This setting can effectively help to reduce identity theft through XSS attacks (although it is not supported by all browsers).
|
||
'doNotCheckReferer' => FALSE, // Boolean. If set, it's NOT checked numerous places that the refering host is the same as the current. This is an option you should set if you have problems with proxies not passing the HTTP_REFERER variable.
|
t3lib/class.t3lib_userauth.php (working copy) | ||
---|---|---|
protected function getCookieDomain() {
|
||
$result = '';
|
||
$cookieDomain = $GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieDomain'];
|
||
// If login type is BE and separate cookie domain is defined for BE,
|
||
// use that domain
|
||
if ($this->loginType == 'BE' && !empty($GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieDomainBE'])) {
|
||
$cookieDomain = $GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieDomainBE'];
|
||
}
|
||
if ($cookieDomain) {
|
||
if ($cookieDomain{0} == '/') {
|