Skip to content
This repository was archived by the owner on Sep 10, 2021. It is now read-only.

Commit ee363e3

Browse files
author
Jamie Snape
committed
Ensure cookies have httponly and secure flags set
1 parent 0b0978b commit ee363e3

File tree

11 files changed

+148
-49
lines changed

11 files changed

+148
-49
lines changed

core/AppController.php

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@
3030
*/
3131
class AppController extends MIDAS_GlobalController
3232
{
33+
3334
/** @var string */
3435
protected $coreWebroot;
3536

@@ -104,11 +105,14 @@ public function preDispatch()
104105
$user->setExpirationSeconds(60 * Zend_Registry::get('configGlobal')->session->lifetime);
105106
}
106107

108+
/** @var Zend_Controller_Request_Http $request */
109+
$request = $this->getRequest();
110+
107111
if ($user->Dao == null && $fc->getRequest()->getControllerName() != 'install'
108112
) {
109113
/** @var UserModel $userModel */
110114
$userModel = MidasLoader::loadModel('User');
111-
$cookieData = $this->getRequest()->getCookie('midasUtil');
115+
$cookieData = $request->getCookie(MIDAS_USER_COOKIE_NAME);
112116

113117
if (!empty($cookieData)) {
114118
$notifier = new MIDAS_Notifier(false, null);
@@ -152,7 +156,8 @@ public function preDispatch()
152156
$this->logged = true;
153157
$this->view->logged = true;
154158
$this->view->userDao = $user->Dao;
155-
$cookieData = $this->getRequest()->getCookie('recentItems'.$this->userSession->Dao->user_id);
159+
$cookieName = hash('sha1', MIDAS_ITEM_COOKIE_NAME.$this->userSession->Dao->user_id);
160+
$cookieData = $request->getCookie($cookieName);
156161
$this->view->recentItems = array();
157162
if (isset($cookieData) && file_exists(LOCAL_CONFIGS_PATH.'/database.local.ini')
158163
) { // check if midas installed

core/Bootstrap.php

Lines changed: 30 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -44,16 +44,27 @@ protected function _initConfig()
4444
{
4545
// init language
4646
$configGlobal = new Zend_Config_Ini(APPLICATION_CONFIG, 'global', true);
47-
if (isset($_COOKIE['lang'])) {
48-
$configGlobal->application->lang = $_COOKIE['lang'];
47+
if (isset($_COOKIE[MIDAS_LANGUAGE_COOKIE_NAME])) {
48+
$configGlobal->application->lang = $_COOKIE[MIDAS_LANGUAGE_COOKIE_NAME];
4949
}
5050

5151
if (isset($_GET['lang'])) {
52-
if ($_GET['lang'] != 'en' && $_GET['lang'] != 'fr') {
53-
$_GET['lang'] = 'en';
52+
$language = $_GET['lang'];
53+
if ($language !== 'en' && $language !== 'fr') {
54+
$language = 'en';
5455
}
55-
$configGlobal->application->lang = $_GET['lang'];
56-
setcookie("lang", $_GET['lang'], time() + 60 * 60 * 24 * 30 * 20, '/'); // 30 days *20
56+
$configGlobal->application->lang = $language;
57+
$date = new DateTime();
58+
$interval = new DateInterval('P1M');
59+
setcookie(
60+
MIDAS_LANGUAGE_COOKIE_NAME,
61+
$language,
62+
$date->add($interval)->getTimestamp(),
63+
'/',
64+
!empty($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $_SERVER['SERVER_NAME'],
65+
(int) $configGlobal->get('cookie_secure', 1) === 1,
66+
true
67+
);
5768
}
5869

5970
Zend_Registry::set('configGlobal', $configGlobal);
@@ -401,4 +412,17 @@ protected function _initREST()
401412
$restContexts = new REST_Controller_Action_Helper_RestContexts();
402413
Zend_Controller_Action_HelperBroker::addHelper($restContexts);
403414
}
415+
416+
/** Configure the session. */
417+
protected function _initSession()
418+
{
419+
$this->bootstrap('Config');
420+
$config = Zend_Registry::get('configGlobal');
421+
$options = array(
422+
'cookie_httponly' => true,
423+
'cookie_secure' => (int) $config->get('cookie_secure', 1) === 1,
424+
'gc_maxlifetime' => 600,
425+
);
426+
Zend_Session::setOptions($options);
427+
}
404428
}

core/configs/application.ini

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,8 @@ dynamichelp = "1"
2121
password.prefix =
2222
; outbound HTTP proxy to be used by PHP (empty for none)
2323
httpproxy =
24+
; require secure cookies
25+
cookie_secure = "0"
2426
; show debug toolbar
2527
debug_toolbar = "0"
2628

core/constant/core.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,3 +93,8 @@
9393
define('MIDAS_USER_PUBLIC', 0);
9494
define('MIDAS_USER_PRIVATE', 1);
9595
define('MIDAS_MAXIMUM_FOLDER_NUMBERS_PER_LEVEL', 1000);
96+
97+
define('MIDAS_FEED_COOKIE_NAME', '7d35274374e65b9f96029ba04648cc6d4bd00371');
98+
define('MIDAS_ITEM_COOKIE_NAME', '5a4c76b5be3cecac6695e80232ba95921aeab03e');
99+
define('MIDAS_LANGUAGE_COOKIE_NAME', '78ee012e5b9b482f21f984208bf378caec116024');
100+
define('MIDAS_USER_COOKIE_NAME', '9afc792c9f51b69fa1aec4c41286ed3997f93c48');

core/controllers/FeedController.php

Lines changed: 15 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -46,17 +46,26 @@ public function indexAction()
4646
$this->view->header = $this->t('Feed');
4747

4848
if ($this->logged && !$this->isTestingEnv()) {
49+
$cookieName = hash('sha1', MIDAS_FEED_COOKIE_NAME.$this->userSession->Dao->getKey());
50+
51+
/** @var Zend_Controller_Request_Http $request */
4952
$request = $this->getRequest();
50-
$cookieData = $request->getCookie('newFeed'.$this->userSession->Dao->getKey());
53+
$cookieData = $request->getCookie($cookieName);
54+
5155
if (isset($cookieData) && is_numeric($cookieData)) {
5256
$this->view->lastFeedVisit = $cookieData;
5357
}
58+
$date = new DateTime();
59+
$interval = new DateInterval('P1M');
5460
setcookie(
55-
'newFeed'.$this->userSession->Dao->getKey(),
56-
strtotime("now"),
57-
time() + 60 * 60 * 24 * 300,
58-
'/'
59-
); // 30 days
61+
$cookieName,
62+
$date->getTimestamp(),
63+
$date->add($interval)->getTimestamp(),
64+
'/',
65+
$request->getHttpHost(),
66+
(int) Zend_Registry::get('configGlobal')->get('cookie_secure', 1) === 1,
67+
true
68+
);
6069
}
6170

6271
$this->addDynamicHelp(

core/controllers/ItemController.php

Lines changed: 16 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -158,9 +158,12 @@ public function viewAction()
158158
}
159159
}
160160
}
161-
if ($this->logged) {
161+
if ($this->logged && !$this->isTestingEnv()) {
162+
$cookieName = hash('sha1', MIDAS_ITEM_COOKIE_NAME.$this->userSession->Dao->getKey());
163+
164+
/** @var Zend_Controller_Request_Http $request */
162165
$request = $this->getRequest();
163-
$cookieData = $request->getCookie('recentItems'.$this->userSession->Dao->getKey());
166+
$cookieData = $request->getCookie($cookieName);
164167
$recentItems = array();
165168
if (isset($cookieData)) {
166169
$recentItems = unserialize($cookieData);
@@ -179,15 +182,17 @@ public function viewAction()
179182
}
180183
$recentItems = array_reverse($tmp);
181184
$recentItems[] = $itemDao->getKey();
182-
183-
if (!headers_sent()) {
184-
setcookie(
185-
'recentItems'.$this->userSession->Dao->getKey(),
186-
serialize($recentItems),
187-
time() + 60 * 60 * 24 * 30,
188-
'/'
189-
); // 30 days
190-
}
185+
$date = new DateTime();
186+
$interval = new DateInterval('P1M');
187+
setcookie(
188+
$cookieName,
189+
serialize($recentItems),
190+
$date->add($interval)->getTimestamp(),
191+
'/',
192+
$request->getHttpHost(),
193+
(int) Zend_Registry::get('configGlobal')->get('cookie_secure', 1) === 1,
194+
true
195+
);
191196
}
192197

193198
$this->Item->incrementViewCount($itemDao);

core/controllers/UserController.php

Lines changed: 58 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -151,7 +151,18 @@ public function logoutAction()
151151
session_start(); // we closed session before, must restart it to logout
152152
$this->userSession->Dao = null;
153153
Zend_Session::ForgetMe();
154-
setcookie('midasUtil', null, time() + 60 * 60 * 24 * 30, '/'); // 30 days
154+
$request = $this->getRequest();
155+
$date = new DateTime();
156+
$interval = new DateInterval('P1M');
157+
setcookie(
158+
MIDAS_USER_COOKIE_NAME,
159+
null,
160+
$date->sub($interval)->getTimestamp(),
161+
'/',
162+
$request->getHttpHost(),
163+
(int) Zend_Registry::get('configGlobal')->get('cookie_secure', 1) === 1,
164+
true
165+
);
155166
$noRedirect = $this->getParam('noRedirect');
156167
if (isset($noRedirect)) {
157168
$this->disableView();
@@ -487,12 +498,18 @@ public function ajaxloginAction()
487498
if ($userDao->getSalt() == '') {
488499
$passwordHash = $this->User->convertLegacyPasswordHash($userDao, $form->getValue('password'));
489500
}
501+
$request = $this->getRequest();
502+
$date = new DateTime();
503+
$interval = new DateInterval('P1M');
490504
setcookie(
491-
'midasUtil',
505+
MIDAS_USER_COOKIE_NAME,
492506
$userDao->getKey().'-'.$passwordHash,
493-
time() + 60 * 60 * 24 * 30,
494-
'/'
495-
); // 30 days
507+
$date->add($interval)->getTimestamp(),
508+
'/',
509+
$request->getHttpHost(),
510+
(int) Zend_Registry::get('configGlobal')->get('cookie_secure', 1) === 1,
511+
true
512+
);
496513
Zend_Session::start();
497514
$user = new Zend_Session_Namespace('Auth_User');
498515
$user->setExpirationSeconds(60 * Zend_Registry::get('configGlobal')->session->lifetime);
@@ -508,14 +525,15 @@ public function ajaxloginAction()
508525
/** Login action */
509526
public function loginAction()
510527
{
511-
$this->Form->User->uri = $this->getRequest()->getRequestUri();
528+
$request = $this->getRequest();
529+
$this->Form->User->uri = $request->getRequestUri();
512530
$form = $this->Form->User->createLoginForm();
513531
$this->view->form = $this->getFormAsArray($form);
514532
$this->disableLayout();
515533
if ($this->_request->isPost()) {
516534
$this->disableView();
517535
$previousUri = $this->getParam('previousuri');
518-
if ($form->isValid($this->getRequest()->getPost())) {
536+
if ($form->isValid($request->getPost())) {
519537
try {
520538
$notifications = array(); // initialize first in case of exception
521539
$notifications = Zend_Registry::get('notifier')->callback(
@@ -576,18 +594,29 @@ public function loginAction()
576594
$passwordHash = $this->User->convertLegacyPasswordHash($userDao, $form->getValue('password'));
577595
}
578596
$remember = $form->getValue('remerberMe');
579-
if (!$authModule && isset($remember) && $remember == 1) {
580-
if (!$this->isTestingEnv()) {
597+
if (!$this->isTestingEnv()) {
598+
$date = new DateTime();
599+
$interval = new DateInterval('P1M');
600+
if (!$authModule && isset($remember) && $remember == 1) {
581601
setcookie(
582-
'midasUtil',
602+
MIDAS_USER_COOKIE_NAME,
583603
$userDao->getKey().'-'.$passwordHash,
584-
time() + 60 * 60 * 24 * 30,
585-
'/'
586-
); // 30 days
587-
}
588-
} else {
589-
if (!$this->isTestingEnv()) {
590-
setcookie('midasUtil', null, time() + 60 * 60 * 24 * 30, '/'); // 30 days
604+
$date->add($interval)->getTimestamp(),
605+
'/',
606+
$request->getHttpHost(),
607+
(int) Zend_Registry::get('configGlobal')->get('cookie_secure', 1) === 1,
608+
true
609+
);
610+
} else {
611+
setcookie(
612+
MIDAS_USER_COOKIE_NAME,
613+
null,
614+
$date->sub($interval)->getTimestamp(),
615+
'/',
616+
$request->getHttpHost(),
617+
(int) Zend_Registry::get('configGlobal')->get('cookie_secure', 1) === 1,
618+
true
619+
);
591620
Zend_Session::start();
592621
$user = new Zend_Session_Namespace('Auth_User');
593622
$user->setExpirationSeconds(60 * Zend_Registry::get('configGlobal')->session->lifetime);
@@ -1286,7 +1315,18 @@ public function deleteAction()
12861315
session_start();
12871316
$this->userSession->Dao = null;
12881317
Zend_Session::ForgetMe();
1289-
setcookie('midasUtil', null, time() + 60 * 60 * 24 * 30, '/');
1318+
$request = $this->getRequest();
1319+
$date = new DateTime();
1320+
$interval = new DateInterval('P1M');
1321+
setcookie(
1322+
MIDAS_USER_COOKIE_NAME,
1323+
null,
1324+
$date->sub($interval)->getTimestamp(),
1325+
'/',
1326+
$request->getHttpHost(),
1327+
(int) Zend_Registry::get('configGlobal')->get('cookie_secure', 1) === 1,
1328+
true
1329+
);
12901330
}
12911331
}
12921332
$this->_helper->viewRenderer->setNoRender();

modules/googleauth/controllers/CallbackController.php

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -191,13 +191,20 @@ protected function _createOrGetUser($info)
191191
}
192192

193193
$userapi = $this->Userapi->getByAppAndUser('Default', $user);
194+
$request = $this->getRequest();
195+
$date = new DateTime();
196+
$interval = new DateInterval('P1M');
194197
setcookie(
195-
'midasUtil',
198+
MIDAS_USER_COOKIE_NAME,
196199
'googleauth:'.$user->getKey().':'.md5($userapi->getApikey()),
197-
time() + 60 * 60 * 24 * 30,
198-
'/'
200+
$date->add($interval)->getTimestamp(),
201+
'/',
202+
$request->getHttpHost(),
203+
(int) Zend_Registry::get('configGlobal')->get('cookie_secure', 1) === 1,
204+
true
199205
);
200206

207+
201208
return $user;
202209
}
203210
}

modules/javauploaddownload/controllers/UploadController.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -206,9 +206,9 @@ public function javadestinationfolderAction()
206206
$this->disableLayout();
207207

208208
if (Zend_Registry::get('configGlobal')->environment != 'testing') {
209-
// give a week-long session cookie in case the download lasts a long time
209+
// give a three day session cookie in case the download lasts a long time
210210
session_start();
211-
$this->userSession->setExpirationSeconds(60 * 60 * 24 * 7);
211+
$this->userSession->setExpirationSeconds(60 * max(60 * 24 * 3, Zend_Registry::get('configGlobal')->session->lifetime));
212212
session_write_close();
213213
}
214214

modules/mfa/Notification.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,7 @@ public function authIntercept($params)
7070
// write temp user into session for asynchronous confirmation
7171
Zend_Session::start();
7272
$userSession = new Zend_Session_Namespace('Mfa_Temp_User');
73-
$userSession->setExpirationSeconds(600); // "limbo" state should invalidate after 10 minutes
73+
$userSession->setExpirationSeconds(60 * min(10, Zend_Registry::get('configGlobal')->session->lifetime)); // "limbo" state should invalidate after 10 minutes
7474
$userSession->Dao = $user;
7575
$userSession->lock();
7676

0 commit comments

Comments
 (0)