Merge pull request #35 from alanhogan/ajh/secure-cookies

Do not leak HTTPS cookies to HTTP or JS
alanhogan · Sep 16, 2017 · 215a166 · 215a166
2 parents 8a6b472 + f967a19
commit 215a166
Showing 1 changed file with 16 additions and 2 deletions.
diff --git a/-/index.php b/-/index.php
@@ -104,7 +104,14 @@ function bcurls_find_banned_glyph($slug) {
 {
 	if (md5($_POST['username'].$_POST['password'].COOKIE_SALT) == COOKIE_VALUE)
 	{
-		setcookie(COOKIE_NAME, COOKIE_VALUE, NOW + YEAR, '/', COOKIE_DOMAIN);
+		setcookie(COOKIE_NAME,
+			COOKIE_VALUE,
+			NOW + YEAR,
+			'/',
+			COOKIE_DOMAIN,
+			$_SERVER['HTTPS'], // If we are on HTTPS, do not leak cookie to HTTP
+			true // HTTPONLY (don't let JS examine the cookie)
+		);
 		$_COOKIE[COOKIE_NAME] = COOKIE_VALUE;
 	}
 }
@@ -135,7 +142,14 @@ function bcurls_find_banned_glyph($slug) {
 // prolong login for another year, unless this is an API request
 else if (!isset($_GET['api']))
 {
-	setcookie(COOKIE_NAME, COOKIE_VALUE, NOW + YEAR, '/', COOKIE_DOMAIN);
+	setcookie(COOKIE_NAME,
+		COOKIE_VALUE,
+		NOW + YEAR,
+		'/',
+		COOKIE_DOMAIN,
+		$_SERVER['HTTPS'], // If we are on HTTPS, do not leak cookie to HTTP
+		true // HTTPONLY (don't let JS examine the cookie)
+	);
 }
 
 // Successfully logged in, so