Merge pull request #678 from Arantor/release-2.1

! Clean up the Cookies and Sessions admin panel page, including sprucing...

Sources/ManageServer.php

@@ -262,11 +262,11 @@ function ModifyCookieSettings($return_config = false)
 		// Cookies...
 		array('cookiename', $txt['cookie_name'], 'file', 'text', 20),
 		array('cookieTime', $txt['cookieTime'], 'db', 'int', 'postinput' => $txt['minutes']),
-		array('localCookies', $txt['localCookies'], 'subtext' => $txt['localCookies_note'], 'db', 'check', false, 'localCookies'),
-		array('globalCookies', $txt['globalCookies'], 'subtext' => $txt['globalCookies_note'], 'db', 'check', false, 'globalCookies'),
-		array('globalCookiesDomain', $txt['globalCookiesDomain'], 'subtext' => $txt['globalCookiesDomain_note'], 'db', 'text', false, 'globalCookiesDomain'),
-		array('secureCookies', $txt['secureCookies'], 'subtext' => $txt['secureCookies_note'], 'db', 'check', false, 'secureCookies',  'disabled' => !isset($_SERVER['HTTPS']) || !(strtolower($_SERVER['HTTPS']) == 'on' || strtolower($_SERVER['HTTPS']) == '1')),
-		array('httponlyCookies', $txt['httponlyCookies'], 'subtext' => $txt['httponlyCookies_note'], 'db', 'check', false, 'httponlyCookies'),
+		array('localCookies', $txt['localCookies'], 'db', 'check', false, 'localCookies'),
+		array('globalCookies', $txt['globalCookies'], 'db', 'check', false, 'globalCookies'),
+		array('globalCookiesDomain', $txt['globalCookiesDomain'], 'db', 'text', false, 'globalCookiesDomain'),
+		array('secureCookies', $txt['secureCookies'], 'db', 'check', false, 'secureCookies',  'disabled' => !isset($_SERVER['HTTPS']) || !(strtolower($_SERVER['HTTPS']) == 'on' || strtolower($_SERVER['HTTPS']) == '1')),
+		array('httponlyCookies', $txt['httponlyCookies'], 'db', 'check', false, 'httponlyCookies'),
 		'',
 		// Sessions
 		array('databaseSession_enable', $txt['databaseSession_enable'], 'db', 'check', false, 'databaseSession_enable'),
@@ -274,6 +274,23 @@ function ModifyCookieSettings($return_config = false)
 		array('databaseSession_lifetime', $txt['databaseSession_lifetime'], 'db', 'int', false, 'databaseSession_lifetime', 'postinput' => $txt['seconds']),
 	);
 
+	addInlineJavascript('
+	function hideGlobalCookies()
+	{
+		var usingLocal = $("#localCookies").prop("checked");
+		$("#setting_globalCookies").closest("dt").toggle(!usingLocal);
+		$("#globalCookies").closest("dd").toggle(!usingLocal);
+
+		var usingGlobal = !usingLocal && $("#globalCookies").prop("checked");
+		$("#setting_globalCookiesDomain").closest("dt").toggle(usingGlobal);
+		$("#globalCookiesDomain").closest("dd").toggle(usingGlobal);
+	};
+	hideGlobalCookies();
+
+	$("#localCookies, #globalCookies").click(function() {
+		hideGlobalCookies();
+	});', true);
+
 	call_integration_hook('integrate_cookie_settings', array(&$config_vars));
 
 	if ($return_config)
@@ -287,6 +304,10 @@ function ModifyCookieSettings($return_config = false)
 	{
 		call_integration_hook('integrate_save_cookie_settings');
 
+		// Local and global do not play nicely together.
+		if (!empty($_POST['localCookies']) && empty($_POST['globalCookies']))
+			unset ($_POST['globalCookies']);
+
 		if (!empty($_POST['globalCookiesDomain']) && strpos($boardurl, $_POST['globalCookiesDomain']) === false)
 			fatal_lang_error('invalid_cookie_domain', false);
 

Sources/Subs-Auth.php

@@ -130,7 +130,7 @@ function url_parts($local, $global)
 
 	// Globalize cookies across domains (filter out IP-addresses)?
 	elseif ($global && preg_match('~^\d{1,3}(\.\d{1,3}){3}$~', $parsed_url['host']) == 0 && preg_match('~(?:[^\.]+\.)?([^\.]{2,}\..+)\z~i', $parsed_url['host'], $parts) == 1)
-			$parsed_url['host'] = '.' . $parts[1];
+		$parsed_url['host'] = '.' . $parts[1];
 
 	// We shouldn't use a host at all if both options are off.
 	elseif (!$local && !$global)

Themes/default/languages/Help.english.php

@@ -282,6 +282,7 @@ $helptxt['enableCompressedOutput'] = 'This option will compress output to lower
 		zlib to be installed.';
 $helptxt['disableTemplateEval'] = 'By default, templates are evaluated instead of just included. This helps with showing more useful debug information in case a template contains an error.<br /><br />
 		On large forums however, this customised inclusion process may be significantly slower. Therefore, advanced users may wish to disable it.';
+$helptxt['httponlyCookies'] = 'Cookies won\'t be accessible by scripting languages, such as JavaScript. This setting can help to reduce identity theft through XSS attacks. This can cause issues with third party scripts but should be on wherever possible.';
 $helptxt['databaseSession_enable'] = 'This option makes use of the database for session storage - it is best for load balanced servers, but helps with all timeout issues and can make the forum faster.';
 $helptxt['databaseSession_loose'] = 'Turning this on will decrease the bandwidth your forum uses, and make it so clicking back will not reload the page - the downside is that the (new) icons won\'t update, among other things. (unless you click to that page instead of going back to it.)';
 $helptxt['databaseSession_lifetime'] = 'This is the number of seconds for sessions to last after they haven\'t been accessed.  If a session is not accessed for too long, it is said to have &quot;timed out&quot;.  Anything higher than 2400 is recommended.';
@@ -337,11 +338,11 @@ $helptxt['cal_enabled'] = 'The calendar can be used for showing birthdays, or fo
 		<strong>Max number of days an event can span</strong>:<br />Select the maximum days that an event can span.<br /><br />
 		Remember that usage of the calendar (posting events, viewing events, etc.) is controlled by permissions set on the permissions screen.';
 $helptxt['localCookies'] = 'SMF uses cookies to store login information on the client computer.
-	Cookies can be stored globally (myserver.com) or locally (myserver.com/path/to/forum).<br />
-	Check this option if you\'re experiencing problems with users getting logged out automatically.<hr />
+	Cookies can be stored globally (myserver.com) or locally (myserver.com/path/to/forum).<br /><br />
+	Try this option if you\'re experiencing problems with users getting logged out automatically.<hr />
 	Globally stored cookies are less secure when used on a shared webserver (like Tripod).<hr />
-	Local cookies don\'t work outside the forum directory so, if your forum is stored at www.myserver.com/forum, pages like www.myserver.com/index.php cannot access the account information.
-	Especially when using SSI.php, global cookies are recommended.';
+	Local cookies don\'t work outside the forum directory so, if your forum is stored at www.myserver.com/forum, pages like www.myserver.com/index.php cannot access the account information.<br /><br />
+	Global cookies are especially recommended when using SSI.php but work well for most sites on their own domain.';
 $helptxt['enableBBC'] = 'Selecting this option will allow your members to use Bulletin Board Code (BBC) throughout the forum, allowing users to format their posts with images, type formatting and more.';
 $helptxt['time_offset'] = 'Not all forum administrators want their forum to use the same time zone as the server upon which it is hosted. Use this option to specify a time difference (in hours) from which the forum should operate from the server time. Negative and decimal values are permitted.';
 $helptxt['default_timezone'] = 'The server timezone tells PHP where your server is located. You should ensure this is set correctly, preferably to the country/city in which the server is located. You can find out more information on the <a href="http://www.php.net/manual/en/timezones.php" target="_blank">PHP Site</a>.';
@@ -369,11 +370,12 @@ $helptxt['xmlnews_enable'] = 'Allows people to link to <a href="%1$s?action=.xml
 $helptxt['hotTopicPosts'] = 'Change the number of posts for a topic to reach the state of a &quot;hot&quot; or
 	&quot;very hot&quot; topic.';
 $helptxt['globalCookies'] = 'Makes log in cookies available across subdomains.  For example, if...<br />
-	Your site is at http://www.simplemachines.org/,<br />
-	And your forum is at http://forum.simplemachines.org/,<br />
-	Using this option will allow you to access the forum\'s cookie on your site.  Do not enable this if there are other subdomains (like hacker.simplemachines.org) not controlled by you.';
-$helptxt['globalCookiesDomain'] = 'Define the main domain to be used when log in cookies are available across subdomains';
-$helptxt['secureCookies'] = 'Enabling this option will force the cookies created for users on your forum to be marked as secure. Only enable this option if you are using HTTPS throughout your site as it will break cookie handling otherwise!';
+	your site is http://www.example.com/,<br />
+	and your forum is http://forum.example.com/,<br />
+	Using this option will allow you to access the forum\'s cookie on your site.  Do not enable this if there are other subdomains (like hacker.example.com) not controlled by you.<br /><br />
+	This option does not function when local cookies are enabled.';
+$helptxt['globalCookiesDomain'] = 'When using subdomain independent cookies, you can specify what domain should be used for them. This should, of course, be set to your main domain - for example if you are using forum.example.com and www.example.com, the domain is example.com in this case. You should not put the http:// part in front of it.';
+$helptxt['secureCookies'] = 'Enabling this option will force the cookies created for users on your forum to be marked as secure. Only enable this option if you are using HTTPS throughout your site as it will mean no-one will be able to log in properly!';
 $helptxt['securityDisable'] = 'This <em>disables</em> the additional password check for the administration section. This is not recommended!';
 $helptxt['securityDisable_why'] = 'This is your current password. (the same one you use to login.)<br /><br />Having to type this helps ensure that you want to do whatever administration you are doing, and that it is <strong>you</strong> doing it.';
 $helptxt['securityDisable_moderate'] = 'This <em>disables</em> the additional password check for the moderation section. This is not recommended!';

Themes/default/languages/ManageSettings.english.php

@@ -48,16 +48,11 @@ $txt['pruneScheduledTaskLog'] = 'Remove scheduled task log entries older than';
 $txt['pruneSpiderHitLog'] = 'Remove search engine hit logs older than';
 $txt['cookieTime'] = 'Default login cookies length';
 $txt['localCookies'] = 'Enable local storage of cookies';
-$txt['localCookies_note'] = '(SSI won\'t work well with this on)';
 $txt['globalCookies'] = 'Use subdomain independent cookies';
-$txt['globalCookies_note'] = '(turn off local cookies first!)';
 $txt['globalCookiesDomain'] = 'Main domain used for subdomain independent cookies';
-$txt['globalCookiesDomain_note'] = '(enable subdomain independent cookies first!<br />The domain could be for example: "website.com" or "website.co.uk" without http:// or slashes)';
 $txt['invalid_cookie_domain'] = 'The domain intruduced seems to be invalid, please check it and save again.';
 $txt['secureCookies'] = 'Force cookies to be secure';
-$txt['secureCookies_note'] = '(This only applies if you are using HTTPS - don\'t use otherwise!)';
 $txt['httponlyCookies'] = 'Force cookies to be made accessible only through the HTTP protocol';
-$txt['httponlyCookies_note'] = '(Cookies won\'t be accessible by scripting languages, such as JavaScript. This setting can help to reduce identity theft through XSS attacks.)';
 $txt['securityDisable'] = 'Disable administration security';
 $txt['securityDisable_moderate'] = 'Disable moderation security';
 $txt['send_validation_onChange'] = 'Require reactivation after email change';