[webinterface] Log user out when disabling HTTPS to prevent lockout

3 files changed, 16 insertions, 9 deletions

diff --git a/inc/session.inc.php b/inc/session.inc.php
index 26effa3f..24bf6ac0 100644
--- a/inc/session.inc.php
+++ b/inc/session.inc.php
@@ -74,10 +74,15 @@ class Session
 	{
 		if (self::$sid === false) return;
 		@unlink(self::getSessionFile());
-		@setcookie('sid', '', time() - 8640000, null, null, !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off', true);
+		self::deleteCookie();
 		self::$sid = false;
 		self::$data = false;
 	}
+
+	public static function deleteCookie()
+	{
+		setcookie('sid', '', time() - 8640000, null, null, !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off', true);
+	}
 	
 	private static function getSessionFile()
 	{
@@ -104,7 +109,7 @@ class Session
 		$sessionfile = self::getSessionFile();
 		$ret = @file_put_contents($sessionfile, @serialize(self::$data));
 		if (!$ret) Util::traceError('Storing session data  in ' . $sessionfile . ' failed.');
-		$ret = @setcookie('sid', self::$sid, time() + CONFIG_SESSION_TIMEOUT, null, null, !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off', true);
+		$ret = setcookie('sid', self::$sid, time() + CONFIG_SESSION_TIMEOUT, null, null, !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off', true);
 		if (!$ret) Util::traceError('Error: Could not set Cookie for Client (headers already sent)');
 	}
 }
diff --git a/index.php b/index.php
index 7cbb3b40..a3f45ff3 100644
--- a/index.php
+++ b/index.php
@@ -116,7 +116,7 @@ if (defined('CONFIG_DEBUG') && CONFIG_DEBUG) {
 
 // Set HSTS Header if client is using HTTPS
 if(!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
-	if (Request::any('hsts') === 'off' || Property::get('webinterface.https-hsts', 'False') !== 'True') {
+	if (Property::get('webinterface.https-hsts', 'False') !== 'True') {
 		Header('Strict-Transport-Security: max-age=0', true);
 	} else {
 		Header('Strict-Transport-Security: max-age=15768000', true);
diff --git a/modules-available/webinterface/page.inc.php b/modules-available/webinterface/page.inc.php
index 5207420a..ae9a94fd 100644
--- a/modules-available/webinterface/page.inc.php
+++ b/modules-available/webinterface/page.inc.php
@@ -26,12 +26,10 @@ class Page_WebInterface extends Page
 
 	private function actionConfigureHttps()
 	{
-		$task = false;
-		$off = '';
-		switch (Request::post('mode')) {
+		$mode = Request::post('mode');
+		switch ($mode) {
 			case 'off':
 				$task = $this->setHttpsOff();
-				$off = '&hsts=off';
 				break;
 			case 'random':
 				$task = $this->setHttpsRandomCert();
@@ -43,10 +41,12 @@ class Page_WebInterface extends Page
 				$task = $this->setRedirectMode();
 				break;
 		}
-		Property::set(self::PROP_HSTS, Request::post('usehsts', false, 'string') === 'on' ? 'True' : 'False');
+		if ($mode !== 'off') {
+			Property::set(self::PROP_HSTS, Request::post('usehsts', false, 'string') === 'on' ? 'True' : 'False');
+		}
 		if (isset($task['id'])) {
 			Session::set('https-id', $task['id']);
-			Util::redirect('?do=WebInterface&show=httpsupdate' . $off);
+			Util::redirect('?do=WebInterface&show=httpsupdate');
 		}
 		Util::redirect('?do=WebInterface');
 	}
@@ -123,7 +123,9 @@ class Page_WebInterface extends Page
 	private function setHttpsOff()
 	{
 		Property::set(self::PROP_TYPE, 'off');
+		Property::set(self::PROP_HSTS, 'off');
 		Header('Strict-Transport-Security: max-age=0', true);
+		Session::deleteCookie();
 		return Taskmanager::submit('LighttpdHttps', array());
 	}