Fixed cookie behaviour when behind a reverse proxy with a different hostname. See PHPCRED-28
Fixed cookie behaviour when behind a reverse proxy with a different hostname. See PHPCRED-28

--- a/Install/index.php
+++ b/Install/index.php
@@ -608,6 +608,7 @@
 <input type="hidden" name="JSMinName" value=".min">
 <input type="hidden" name="forceSSL" value="false">
 <input type="hidden" name="forceTLS" value="true">
+<input type="hidden" name="CredlockerHost" value="DEFAULT">
 
 <table>
 <tr>

--- a/Resources/info.php
+++ b/Resources/info.php
@@ -39,7 +39,12 @@
 if (isset($_COOKIE['PHPCredLockerKeySet']) && BTMain::getVar('destSession') == 'Y'){
 
 $expires = strtotime("-2 days");
-setcookie("PHPCredLockerKeySet", 1, $expires, dirname($_SERVER["REQUEST_URI"]), $_SERVER['HTTP_HOST'], BTMain::getConf()->forceSSL);
+
+// See PHPCRED-28
+$conf = BTMain::getConf();
+$host = (!empty($conf->CredlockerHost) && ($conf->CredlockerHost != 'DEFAULT'))? $conf->CredlockerHost : $_SERVER['HTTP_HOST'];
+
+setcookie("PHPCredLockerKeySet", 1, $expires, dirname($_SERVER["REQUEST_URI"]), $host, $conf->forceSSL);
 BTMain::unsetSessVar('tls');
 BTMain::unsetSessVar('KeyExpiry');
 BTMain::unsetSessVar('apiterms');

--- a/lib/auth.class.php
+++ b/lib/auth.class.php
@@ -330,8 +330,13 @@
 // Create a string for the cookie
 $cookieVal = md5($str . mt_rand(10,80000) . mt_rand(11,500) . mt_rand(0,90000) );
 
+$conf = BTMain::getConf();
+
+// As of PHPCRED-28, the config file can be used to override the hostname used in the cookie (useful if you're behind a reverse proxy)
+$host = (!empty($conf->CredlockerHost) && ($conf->CredlockerHost != 'DEFAULT'))? $conf->CredlockerHost : $_SERVER['HTTP_HOST'];
+
 // Set the cookie
-setcookie("PHPCredLocker", $cookieVal, $expires, dirname($_SERVER["REQUEST_URI"]), $_SERVER['HTTP_HOST'], BTMain::getConf()->forceSSL);
+setcookie("PHPCredLocker", $cookieVal, $expires, dirname($_SERVER["REQUEST_URI"]), $host, $conf->forceSSL);
 
 // Write to the sessions directory
 $filename = "$expires-$cookieVal";