Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SameSite support for cookies #1566

Closed
DavidLiedke opened this issue Apr 24, 2018 · 16 comments
Closed

Add SameSite support for cookies #1566

DavidLiedke opened this issue Apr 24, 2018 · 16 comments
Labels
enhancement General tag for an enhancement resolved A fixed issue SECURITY A security issue reported through CVE
Milestone

Comments

@DavidLiedke
Copy link
Contributor

Feature allready enabled by default in Chrome since version 63.
Mozilla enable this feature with Firefox 60.

https://www.bleepingcomputer.com/news/security/firefox-improves-csrf-protection-with-support-for-same-site-cookies/

@DavidLiedke DavidLiedke changed the title Add SameSite support for cookies enhancement: Add SameSite support for cookies Apr 24, 2018
@netniV
Copy link
Member

netniV commented Apr 25, 2018

I don't think that should be too difficult a request. I think we probably need to move to having a common routines so that things like headers can be output automatically. Are there any others you think could/should be included that are not currently?

Cacti does not rely on any third party sites so I personally think it could be set to strict at this point in time with the option for an admin to switch it to lax or off. The latter more for integration purposes if there is ever a specific need.

@DavidLiedke
Copy link
Contributor Author

Yes i think the strict mode is the right one with a option to switch it.

What do you think about secure cookies?
https://www.sjoerdlangkemper.nl/2017/02/09/cookie-prefixes/
https://www.sjoerdlangkemper.nl/2017/10/25/strict-secure-cookies/

@netniV
Copy link
Member

netniV commented Apr 25, 2018

That should be optionally as often people run cacti inhouse without using SSL, so adding the host or secure prefixes wouldn't work as http isn't allowed to write those.

@netniV
Copy link
Member

netniV commented Apr 25, 2018

Also, having them enabled for the secure version after using the insecure version will cause any insecure cookie to be ignored due to the new optional prefix being used, having the effect of logging people out.

@DavidLiedke
Copy link
Contributor Author

The secure cookie option can be combined with the "Force Connections over HTTPS" option.

@netniV
Copy link
Member

netniV commented Apr 25, 2018

I guess it could since that will force a redirect to the HTTPS option. Again, it would mean changing that option so it produces a warning when enabled because if logins have been using cookies for a long time, people may not remember what their password is, thus end up locked out :)

@cigamit cigamit added the enhancement General tag for an enhancement label Apr 28, 2018
@netniV netniV added this to the Cacti 1.3 milestone Jul 26, 2018
@TheWitness
Copy link
Member

@netniV wasn't this fixed already by @cigamit?

@TheWitness TheWitness added the SECURITY A security issue reported through CVE label Mar 17, 2020
@netniV
Copy link
Member

netniV commented Mar 20, 2020

Err, good question, let me check...

@netniV
Copy link
Member

netniV commented Mar 20, 2020

Unfortunately, whilst some code was put in, I don't believe that we are being consistent. For example, lib/auth.php has the following code within set_auth_cookie():

if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
        setcookie('cacti_remembers', $user['username'] . ',' . $nssecret, time()+(86400*30), $config['url_path'], NULL, true, true);
} else {
        setcookie('cacti_remembers', $user['username'] . ',' . $nssecret, time()+(86400*30), $config['url_path']);
}

However, there are other uses of setcookie() that do not make the same check. So I think we need to move the above checks into a generic set_cookie() function and ensure we are consistent.

./auth_changepassword.php:86:   setcookie($cacti_session_name, null, -1, $config['url_path']);
./auth_login.php:486:   setcookie(session_name(), '', time() - 3600, $config['url_path']);
./lib/auth.php:44:                                      setcookie('cacti_remembers', '', time() - 3600, $config['url_path']);
./lib/auth.php:75:                      setcookie('cacti_remembers', $user['username'] . ',' . $nssecret, time()+(86400*30), $config['url_path'], NULL, true, true);
./lib/auth.php:77:                      setcookie('cacti_remembers', $user['username'] . ',' . $nssecret, time()+(86400*30), $config['url_path']);
./include/vendor/csrf/csrf-magic.php:141:               setcookie($GLOBALS['csrf']['cookie'], $val, time() + 3600, $GLOBALS['csrf']['url_path']);

@TheWitness
Copy link
Member

Makes sense.

@TheWitness TheWitness modified the milestones: v1.3.0, 1.2.11 Mar 21, 2020
@TheWitness
Copy link
Member

So, I did a review of this and have found that the cacti_remembers is more for session history control, I am making a change to global.php right now, that on php7.3 and above will implement this through the session_start() call, and for prior versions, through the Cookie header.

@TheWitness TheWitness changed the title enhancement: Add SameSite support for cookies Add SameSite support for cookies Mar 21, 2020
TheWitness added a commit that referenced this issue Mar 21, 2020
* Add SameSite support for cookies
* Add some light formatting for readability
@TheWitness TheWitness added the resolved A fixed issue label Mar 21, 2020
TheWitness added a commit that referenced this issue Mar 21, 2020
Need to change to $config due to old PHP5.
@TheWitness TheWitness reopened this Mar 22, 2020
@TheWitness
Copy link
Member

Confirmed with @netniV that PHP7.x does not like this setup. Making some additional changes.

@ddb4github
Copy link
Contributor

CHANGELOG still have SameSite line

@TheWitness
Copy link
Member

@ddb4github, Same site is done now. There was another change not pinned to this ticket.

@TheWitness
Copy link
Member

Here is the commit:

f8b9483#diff-347d8bac8d944a3900b3284f46de3045

@ddb4github
Copy link
Contributor

ddb4github commented Mar 23, 2020

Here is the commit:

f8b9483#diff-347d8bac8d944a3900b3284f46de3045

Known now. Just look "Reject" in commit log and guess you rollback all previous change.

@github-actions github-actions bot locked and limited conversation to collaborators Jun 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement General tag for an enhancement resolved A fixed issue SECURITY A security issue reported through CVE
Projects
None yet
Development

No branches or pull requests

5 participants