From a51a78b71c4ccd1be98c96d45ec162fb1ca00cd6 Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Sun, 18 Nov 2012 20:01:37 +1300 Subject: [PATCH] Bug 9102 : Set HttpOnly on the CGISESSID cookie https://www.owasp.org/index.php/HttpOnly Signed-off-by: Kyle M Hall Signed-off-by: Katrin Fischer To test, use curl Before the patch % curl -I http://192.168.2.135 HTTP/1.1 200 OK Date: Sun, 18 Nov 2012 06:56:49 GMT Server: Apache/2.2.22 (Ubuntu) Pragma: no-cache Cache-control: no-cache Content-script-type: text/javascript Content-style-type: text/css Set-Cookie: CGISESSID=19689f6e7d8ec94c25269fecebf2f009; path=/ Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 After patch % curl -I http://192.168.2.135 HTTP/1.1 200 OK Date: Sun, 18 Nov 2012 07:01:04 GMT Server: Apache/2.2.22 (Ubuntu) Pragma: no-cache Cache-control: no-cache Content-script-type: text/javascript Content-style-type: text/css Set-Cookie: CGISESSID=da25baf03c0bc1e2c512a627028e43e6; path=/; HttpOnly Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Signed-off-by: Jared Camins-Esakov --- C4/Auth.pm | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index b32136a033..2eb63f5170 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -635,13 +635,15 @@ sub checkauth { if ( $userid = $ENV{'REMOTE_USER'} ) { # Using Basic Authentication, no cookies required $cookie = $query->cookie( - -name => 'CGISESSID', - -value => '', - -expires => '' + -name => 'CGISESSID', + -value => '', + -expires => '', + -HttpOnly => 1, ); $loggedin = 1; } - elsif ( $sessionID = $query->cookie("CGISESSID")) { # assignment, not comparison + elsif ( $sessionID = $query->cookie("CGISESSID") ) + { # assignment, not comparison my $session = get_session($sessionID); C4::Context->_new_userenv($sessionID); my ($ip, $lasttime, $sessiontype); @@ -707,8 +709,12 @@ sub checkauth { $userid = undef; } else { - $cookie = $query->cookie( CGISESSID => $session->id ); - $session->param('lasttime',time()); + $cookie = $query->cookie( + -name => 'CGISESSID', + -value => $session->id, + -HttpOnly => 1 + ); + $session->param( 'lasttime', time() ); unless ( $sessiontype && $sessiontype eq 'anon' ) { #if this is an anonymous session, we want to update the session, but not behave as if they are logged in... $flags = haspermission($userid, $flagsrequired); if ($flags) { @@ -724,8 +730,12 @@ sub checkauth { my $session = get_session("") or die "Auth ERROR: Cannot get_session()"; my $sessionID = $session->id; C4::Context->_new_userenv($sessionID); - $cookie = $query->cookie( CGISESSID => $sessionID ); - $userid = $query->param('userid'); + $cookie = $query->cookie( + -name => 'CGISESSID', + -value => $session->id, + -HttpOnly => 1 + ); + $userid = $query->param('userid'); if ( ( $cas && $query->param('ticket') ) || $userid || ( my $pki_field = C4::Context->preference('AllowPKIAuth') ) ne @@ -916,7 +926,11 @@ sub checkauth { { # successful login unless ($cookie) { - $cookie = $query->cookie( CGISESSID => '' ); + $cookie = $query->cookie( + -name => 'CGISESSID', + -value => '', + -HttpOnly => 1 + ); } return ( $userid, $cookie, $sessionID, $flags ); }