Add security flags to cookies (HttpOnly, secure)

Fixes #4525
Alinto · Aug 21, 2018 · 828d773 · 828d773
1 parent 69c03e7
commit 828d773
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 21 deletions.
diff --git a/NEWS b/NEWS
@@ -7,6 +7,7 @@ New features
 Enhancements
  - [web] prohibit duplicate calendar categories in Preferences module
  - [web] added Romanian (ro) translation - thanks to Vasile Razvan Luca
+ - [web] add security flags to cookies (HttpOnly, secure) (#4525)
  - [core] enable Oracle OCI support for CentOS/RHEL v7
 
 Bug fixes

diff --git a/SoObjects/SOGo/SOGoWebAuthenticator.m b/SoObjects/SOGo/SOGoWebAuthenticator.m
@@ -383,6 +383,7 @@ - (WOCookie *) cookieWithUsername: (NSString *) username
 {
   WOCookie *authCookie;
   NSString *cookieValue, *cookieString, *appName, *sessionKey, *userKey, *securedPassword;
+  BOOL isSecure;
 
   //
   // We create a new cookie - thus we create a new session
@@ -409,8 +410,14 @@ - (WOCookie *) cookieWithUsername: (NSString *) username
                            userKey, sessionKey];
   cookieValue = [NSString stringWithFormat: @"basic %@",
                           [cookieString stringByEncodingBase64]];
+  isSecure = [[[context serverURL] scheme] isEqualToString: @"https"];
   authCookie = [WOCookie cookieWithName: [self cookieNameInContext: context]
-                                  value: cookieValue];
+                                  value: cookieValue
+                                   path: nil
+                                 domain: nil
+                                expires: nil
+                               isSecure: isSecure
+                               httpOnly: YES];
   appName = [[context request] applicationName];
   [authCookie setPath: [NSString stringWithFormat: @"/%@/", appName]];
 

diff --git a/UI/WebServerResources/js/Common/Authentication.service.js b/UI/WebServerResources/js/Common/Authentication.service.js
@@ -57,18 +57,6 @@
     function getService($q, $http, $cookies, passwordPolicyConfig) {
       var service;
 
-      function readLoginCookie() {
-        var loginValues = null,
-            cookie = $cookies.get('0xHIGHFLYxSOGo'),
-            value;
-        if (cookie && cookie.length > 8) {
-          value = decodeURIComponent(cookie.substr(8));
-          loginValues = value.base64decode().split(':');
-        }
-
-        return loginValues;
-      }
-
       service = {
         login: function(data) {
           var d = $q.defer(),
@@ -99,9 +87,8 @@
           }).then(function(response) {
             var data = response.data;
             // Make sure browser's cookies are enabled
-            var loginCookie = readLoginCookie();
-            if (!loginCookie) {
-              d.reject(l('cookiesNotEnabled'));
+            if (navigator && !navigator.cookieEnabled) {
+              d.reject({error: l('cookiesNotEnabled')});
             }
             else {
               // Check password policy
@@ -145,7 +132,6 @@
 
         changePassword: function(newPassword) {
           var d = $q.defer(),
-              loginCookie = readLoginCookie(),
               xsrfCookie = $cookies.get('XSRF-TOKEN');
 
           $cookies.remove('XSRF-TOKEN', {path: '/SOGo/'});
@@ -156,10 +142,7 @@
             headers: {
               'X-XSRF-TOKEN' : xsrfCookie
             },
-            data: {
-              userName: loginCookie[0],
-              password: loginCookie[1],
-              newPassword: newPassword }
+            data: { newPassword: newPassword }
           }).then(d.resolve, function(response) {
             var error,
                 data = response.data,