Bug 9102 : Set HttpOnly on the CGISESSID cookie
https://www.owasp.org/index.php/HttpOnly Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> To test, use curl Before the patch % curl -I http://192.168.2.135 HTTP/1.1 200 OK Date: Sun, 18 Nov 2012 06:56:49 GMT Server: Apache/2.2.22 (Ubuntu) Pragma: no-cache Cache-control: no-cache Content-script-type: text/javascript Content-style-type: text/css Set-Cookie: CGISESSID=19689f6e7d8ec94c25269fecebf2f009; path=/ Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 After patch % curl -I http://192.168.2.135 HTTP/1.1 200 OK Date: Sun, 18 Nov 2012 07:01:04 GMT Server: Apache/2.2.22 (Ubuntu) Pragma: no-cache Cache-control: no-cache Content-script-type: text/javascript Content-style-type: text/css Set-Cookie: CGISESSID=da25baf03c0bc1e2c512a627028e43e6; path=/; HttpOnly Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
This commit is contained in:
Chris Cormack
Jared Camins-Esakov
parent
c27a981856
commit
a51a78b71c
1 changed files with 23 additions and 9 deletions
32
C4/Auth.pm
32
C4/Auth.pm
|
|
@ -635,13 +635,15 @@ sub checkauth {
|
|||
if ( $userid = $ENV{'REMOTE_USER'} ) {
|
||||
# Using Basic Authentication, no cookies required
|
||||
$cookie = $query->cookie(
|
||||
-name => 'CGISESSID',
|
||||
-value => '',
|
||||
-expires => ''
|
||||
-name => 'CGISESSID',
|
||||
-value => '',
|
||||
-expires => '',
|
||||
-HttpOnly => 1,
|
||||
);
|
||||
$loggedin = 1;
|
||||
}
|
||||
elsif ( $sessionID = $query->cookie("CGISESSID")) { # assignment, not comparison
|
||||
elsif ( $sessionID = $query->cookie("CGISESSID") )
|
||||
{ # assignment, not comparison
|
||||
my $session = get_session($sessionID);
|
||||
C4::Context->_new_userenv($sessionID);
|
||||
my ($ip, $lasttime, $sessiontype);
|
||||
|
|
@ -707,8 +709,12 @@ sub checkauth {
|
|||
$userid = undef;
|
||||
}
|
||||
else {
|
||||
$cookie = $query->cookie( CGISESSID => $session->id );
|
||||
$session->param('lasttime',time());
|
||||
$cookie = $query->cookie(
|
||||
-name => 'CGISESSID',
|
||||
-value => $session->id,
|
||||
-HttpOnly => 1
|
||||
);
|
||||
$session->param( 'lasttime', time() );
|
||||
unless ( $sessiontype && $sessiontype eq 'anon' ) { #if this is an anonymous session, we want to update the session, but not behave as if they are logged in...
|
||||
$flags = haspermission($userid, $flagsrequired);
|
||||
if ($flags) {
|
||||
|
|
@ -724,8 +730,12 @@ sub checkauth {
|
|||
my $session = get_session("") or die "Auth ERROR: Cannot get_session()";
|
||||
my $sessionID = $session->id;
|
||||
C4::Context->_new_userenv($sessionID);
|
||||
$cookie = $query->cookie( CGISESSID => $sessionID );
|
||||
$userid = $query->param('userid');
|
||||
$cookie = $query->cookie(
|
||||
-name => 'CGISESSID',
|
||||
-value => $session->id,
|
||||
-HttpOnly => 1
|
||||
);
|
||||
$userid = $query->param('userid');
|
||||
if ( ( $cas && $query->param('ticket') )
|
||||
|| $userid
|
||||
|| ( my $pki_field = C4::Context->preference('AllowPKIAuth') ) ne
|
||||
|
|
@ -916,7 +926,11 @@ sub checkauth {
|
|||
{
|
||||
# successful login
|
||||
unless ($cookie) {
|
||||
$cookie = $query->cookie( CGISESSID => '' );
|
||||
$cookie = $query->cookie(
|
||||
-name => 'CGISESSID',
|
||||
-value => '',
|
||||
-HttpOnly => 1
|
||||
);
|
||||
}
|
||||
return ( $userid, $cookie, $sessionID, $flags );
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue