force login over https.

assets/php/utils.php

@@ -25,11 +25,11 @@ function connect_user($user_id, $long_expiration = true)
 {
     global $PDO, $SESSION_COOKIE_NAME, $MAX_COOKIE_LIFE;
 
-    // Set an expiration delay for the cookie
-    $delay = 86400;
-    if ($long_expiration === true) {
-        $delay = $MAX_COOKIE_LIFE;
-    }
+    // Set the session max lifespan
+    $delay = $long_expiration === true ? $MAX_COOKIE_LIFE : 86400;
+
+    // Set the cookie lifespan
+    $cookie_life = $long_expiration === true ? time() + $MAX_COOKIE_LIFE : 0;
 
     // The session id is a 32-chars random string
     $session_id = generate_random_string();
@@ -50,8 +50,11 @@ function connect_user($user_id, $long_expiration = true)
         return setcookie(
             $SESSION_COOKIE_NAME,
             $session_id,
-            time() + $delay,
-            $secure = true
+            $cookie_life,
+            "",
+            "",
+            true,
+            false
         );
     }
     return false;

login.php

@@ -34,9 +34,14 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
         // Check if username exists, if yes then verify password
         if (get_username_count($username) == 1) {
             if (correct_email_password($username, $password)) {
-                connect_user(get_user_id_from_email($username), false);
-                // Redirect user to welcome page
-                header("location: welcome.php");
+                if (is_https()) {
+                    connect_user(get_user_id_from_email($username), false);
+
+                    // Redirect user to welcome page
+                    header("location: welcome.php");
+                } else {
+                    $username_err = "Please use HTTPS.";
+                }
             } else {
                 // Display an error message if password is not valid
                 $username_err = "Invalid Username/Password.";