Support for HttpOnly cookies.

HttpOnly cookies prohibit access by Javascript. Currently only IE6 supports
it. See http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
In order to achieve that the cookie with the session_id also contains the
httponly cookie attribute I introduced a new function, sqsession_start which
overwrites the cookie set by php by our own cookie containing the session_id
and the httponly attribute.
All session_start calls are replaced by sqsession_start.

functions/global.php

@@ -257,9 +257,9 @@ function sqsession_destroy() {
 
     global $base_uri;
 
-    if (isset($_COOKIE[session_name()])) setcookie(session_name(), '', time() - 5, $base_uri);
-    if (isset($_COOKIE['username'])) setcookie('username','',time() - 5,$base_uri);
-    if (isset($_COOKIE['key'])) setcookie('key','',time() - 5,$base_uri);
+    if (isset($_COOKIE[session_name()])) sqsetcookie(session_name(), '', 0, $base_uri);
+    if (isset($_COOKIE['username'])) sqsetcookie('username','',0,$base_uri);
+    if (isset($_COOKIE['key'])) sqsetcookie('key','',0,$base_uri);
 
     $sessid = session_id();
     if (!empty( $sessid )) {
@@ -275,14 +275,67 @@ function sqsession_destroy() {
  * (even though autoglobal), is not created unless a session is
  * started, unlike $_POST, $_GET and such
  */
-
 function sqsession_is_active() {
-
     $sessid = session_id();
     if ( empty( $sessid ) ) {
-        session_start();
+        sqsession_start();
     }
 }
 
+/**
+ * Function to start the session and store the cookie with the session_id as
+ * HttpOnly cookie which means that the cookie isn't accessible by javascript
+ * (IE6 only)
+ */
+function sqsession_start() {
+    global $PHP_SELF;
+
+    $dirs = array('|src/.*|', '|plugins/.*|', '|functions/.*|');
+    $repl = array('', '', '');
+    $base_uri = preg_replace($dirs, $repl, $PHP_SELF);
+
+    session_start();
+    $sessid = session_id();
+    // session_starts sets the sessionid cookie buth without the httponly var
+    // setting the cookie again sets the httponly cookie attribute
+    sqsetcookie(session_name(),$sessid,false,$base_uri);
+}
+
+
+/**
+ * Set a cookie
+ * @param string  $sName     The name of the cookie.
+ * @param string  $sValue    The value of the cookie.
+ * @param int     $iExpire   The time the cookie expires. This is a Unix timestamp so is in number of seconds since the epoch.
+ * @param string  $sPath     The path on the server in which the cookie will be available on.
+ * @param string  $sDomain   The domain that the cookie is available.
+ * @param boolean $bSecure   Indicates that the cookie should only be transmitted over a secure HTTPS connection.
+ * @param boolean $bHttpOnly Disallow JS to access the cookie (IE6 only)
+ * @return void
+ */
+function sqsetcookie($sName,$sValue,$iExpire=false,$sPath="",$sDomain="",$bSecure=false,$bHttpOnly=true) {
+    $sHeader = "Set-Cookie: $sName=$sValue";
+    if ($sPath) {
+        $sHeader .= "; Path=\"$sPath\"";
+    }
+    if ($iExpire !==false) {
+        $sHeader .= "; Max-Age=$iExpire";
+    }
+    if ($sPath) {
+        $sHeader .= "; Path=$sPath";
+    }
+    if ($sDomain) {
+        $sHeader .= "; Domain=$sDomain";
+    }
+    if ($bSecure) {
+        $sHeader .= "; Secure";
+    }
+    if ($bHttpOnly) {
+        $sHeader .= "; HttpOnly";
+    }
+    $sHeader .= "; Version=1";
+
+    header($sHeader);
+}
 // vim: et ts=4
 ?>

src/redirect.php

@@ -58,7 +58,7 @@ if (!sqgetGlobalVar('mailto', $mailto)) {
 
 set_up_language($squirrelmail_language, true);
 /* Refresh the language cookie. */
-setcookie('squirrelmail_language', $squirrelmail_language, time()+2592000,
+sqsetcookie('squirrelmail_language', $squirrelmail_language, time()+2592000,
           $base_uri);
 
 if (!isset($login_username)) {
@@ -93,7 +93,7 @@ if (!sqsession_is_registered('user_is_logged_in')) {
 
     $username = $login_username;
     sqsession_register ($username, 'username');
-    setcookie('key', $key, 0, $base_uri);
+    sqsetcookie('key', $key, false, $base_uri);
     do_hook ('login_verified');
 
 }

src/right_main.php

@@ -277,7 +277,7 @@ if (isset($aMailbox['FORWARD_SESSION'])) {
         session_write_close();
         // restart the session. Do not use sqsession_is_active because the session_id
         // isn't empty after a session_write_close
-        session_start();
+        sqsession_start();
         if (!preg_match("/^[0-9]{3,4}$/", $compose_width)) {
             $compose_width = '640';
         }

src/search.php

@@ -726,7 +726,7 @@ function asearch_get_form_mailbox($imapConnection, &$boxes, $mailbox, $row_num =
 }
 
 /** Build the Include subfolders checkbox
- * @todo if(function_exists('addCheckBox')) ? 
+ * @todo if(function_exists('addCheckBox')) ?
  */
 function asearch_get_form_sub($sub, $row_num = 0)
 {
@@ -1360,7 +1360,7 @@ if (isset($aMailbox['FORWARD_SESSION'])) {
         session_write_close();
         // restart the session. Do not use sqsession_is_active because the session_id
         // isn't empty after a session_write_close
-        session_start();
+        sqsession_start();
 
         if (!preg_match("/^[0-9]{3,4}$/", $compose_width)) {
             $compose_width = '640';

src/webmail.php

@@ -74,7 +74,7 @@ do_hook('webmail_top');
  */
 $my_language = getPref($data_dir, $username, 'language');
 if ($my_language != $squirrelmail_language) {
-    setcookie('squirrelmail_language', $my_language, time()+2592000, $base_uri);
+    sqsetcookie('squirrelmail_language', $my_language, time()+2592000, $base_uri);
 }
 
 $err=set_up_language(getPref($data_dir, $username, 'language'));