From a0dfbaaea8fa18da38c0cf79dc10a783abc0c77a Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 22 Mar 2020 02:16:33 +0100
Subject: [PATCH] Fix: Clean header an non https redirect to avoid to have
 cookie session ID in non https answers.

---
 htdocs/main.inc.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 444d541cd98..8d3812d5553 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -257,7 +257,7 @@ if (isset($_SERVER["HTTP_USER_AGENT"]))
 }
 
 
-// Force HTTPS if required ($conf->file->main_force_https is 0/1 or https dolibarr root url)
+// Force HTTPS if required ($conf->file->main_force_https is 0/1 or 'https dolibarr root url')
 // $_SERVER["HTTPS"] is 'on' when link is https, otherwise $_SERVER["HTTPS"] is empty or 'off'
 if (!empty($conf->file->main_force_https) && (empty($_SERVER["HTTPS"]) || $_SERVER["HTTPS"] != 'on'))
 {
@@ -284,6 +284,7 @@ if (!empty($conf->file->main_force_https) && (empty($_SERVER["HTTPS"]) || $_SERV
 	// Start redirect
 	if ($newurl)
 	{
+		header_remove();	// Clean header already set to be sure to remove any header like "Set-Cookie: DOLSESSID_..." from non HTTPS answers
 		dol_syslog("main.inc: dolibarr_main_force_https is on, we make a redirect to ".$newurl);
 		header("Location: ".$newurl);
 		exit;