Doing this in the PHP code is not the right approach for multiple reasons:
1. A bug in the PHP code prevents them from being added to the response.
2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud)
3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations.
This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
This has no other reason than preventing some insane automated scanners from reporting this as security bug (which it obviously isn't as the cookie contains nothing of value)
Thus it generally results in an happier Lukas and hopefully less reports to our support and security mail addresses...
maintain deprecated \OC::$session when getting or setting the session via the server container or UserSession
restore order os OC::$session and OC::$CLI
remove unneded initialization of dummy session
write back session when $useCustomSession is true
log warning when deprecated app is used
Previous version is vulnerable to session fixation attack in some situations, guessing non-apache-module-php5 environment. Regeneration of session id should be done here.
Cookies from 5.0.12 seemed to have an extra slash in the path.
Firefox doesn't allow to remove them if the trailing slash isn't
there,
thus making it impossible to logout correctly.
This fix adds extra code to delete such stray cookies.
Ported from stable5 branch 99e5c6f7eb
Lukas Reschke
Morris Jobke
Jenkins for ownCloud
Robin Appelman
Bernhard Posselt
Thomas Müller
Jörn Friedrich Dreyer
Joas Schilling
Arthur Schiwon
Robin McCorkell
Lukas Reschke
NARUKAWA Hiroki
Vincent Petry