From bc5f5f4f011c05517cf31c366da115dd97de1f36 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Mon, 3 Dec 2012 11:17:27 +0100 Subject: [PATCH] Bug 9102 : Followup Set HttpOnly on the CGISESSID cookie Signed-off-by: Galen Charlton Signed-off-by: Marcel de Rooy Signed-off-by: Jared Camins-Esakov --- C4/Auth.pm | 29 +++++++++++++++++++---------- C4/Templates.pm | 1 + cataloguing/additem.pl | 1 + installer/InstallAuth.pm | 14 ++++++++++++-- 4 files changed, 33 insertions(+), 12 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index 2eb63f5170..ac3f3f8766 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -264,12 +264,13 @@ sub get_template_and_user { $_->{'time'}, ) foreach @recentSearches; - # And then, delete the cookie's content - my $newsearchcookie = $in->{'query'}->cookie( - -name => 'KohaOpacRecentSearches', - -value => freeze([]), - -expires => '' - ); + # And then, delete the cookie's content + my $newsearchcookie = $in->{'query'}->cookie( + -name => 'KohaOpacRecentSearches', + -value => freeze([]), + -HttpOnly => 1, + -expires => '' + ); $cookie = [$cookie, $newsearchcookie]; } } @@ -632,8 +633,8 @@ sub checkauth { # when using authentication against multiple CAS servers, as configured in Auth_cas_servers.yaml my $casparam = $query->param('cas'); - if ( $userid = $ENV{'REMOTE_USER'} ) { - # Using Basic Authentication, no cookies required + if ( $userid = $ENV{'REMOTE_USER'} ) { + # Using Basic Authentication, no cookies required $cookie = $query->cookie( -name => 'CGISESSID', -value => '', @@ -1135,7 +1136,11 @@ sub check_api_auth { $sessionID = undef; return ("expired", undef, undef); } else { - my $cookie = $query->cookie( CGISESSID => $session->id ); + my $cookie = $query->cookie( + -name => 'CGISESSID', + -value => $session->id, + -HttpOnly => 1, + ); $session->param('lasttime',time()); my $flags = haspermission($userid, $flagsrequired); if ($flags) { @@ -1179,7 +1184,11 @@ sub check_api_auth { my $sessionID = $session->id; C4::Context->_new_userenv($sessionID); - my $cookie = $query->cookie(CGISESSID => $sessionID); + my $cookie = $query->cookie( + -name => 'CGISESSID', + -value => $sessionID, + -HttpOnly => 1, + ); if ( $return == 1 ) { my ( $borrowernumber, $firstname, $surname, diff --git a/C4/Templates.pm b/C4/Templates.pm index 507e077fb3..78dcdddd03 100644 --- a/C4/Templates.pm +++ b/C4/Templates.pm @@ -305,6 +305,7 @@ sub setlanguagecookie { my $cookie = $query->cookie( -name => 'KohaOpacLanguage', -value => $language, + -HttpOnly => 1, -expires => '+3y' ); print $query->redirect( diff --git a/cataloguing/additem.pl b/cataloguing/additem.pl index c9875ca1bd..1bd19a7f24 100755 --- a/cataloguing/additem.pl +++ b/cataloguing/additem.pl @@ -418,6 +418,7 @@ if ($op eq "additem") { -name => 'LastCreatedItem', # We uri_escape the whole freezed structure so we're sure we won't have any encoding problems -value => uri_escape_utf8( freeze( $record ) ), + -HttpOnly => 1, -expires => '' ); diff --git a/installer/InstallAuth.pm b/installer/InstallAuth.pm index 5b99c1f13b..0015a14e2d 100644 --- a/installer/InstallAuth.pm +++ b/installer/InstallAuth.pm @@ -262,7 +262,11 @@ sub checkauth { $session->param('emailaddress'), $session->param('branchprinter') ); - $cookie = $query->cookie( CGISESSID => $session->id ); + $cookie = $query->cookie( + -name => 'CGISESSID', + -value => $session->id, + -HttpOnly => 1, + ); $loggedin = 1; $userid = $session->param('cardnumber'); } @@ -298,7 +302,11 @@ sub checkauth { # printf L "%20s from %16s logged in at %30s.\n", $userid, # $ENV{'REMOTE_ADDR'}, $time; # close L; - $cookie = $query->cookie( CGISESSID => $sessionID ); + $cookie = $query->cookie( + -name => 'CGISESSID', + -value => $sessionID, + -HttpOnly => 1, + ); if ( $return == 2 ) { #Only superlibrarian should have access to this page. @@ -342,6 +350,7 @@ sub checkauth { $cookie = $query->cookie( -name => 'CGISESSID', -value => '', + -HttpOnly => 1, -expires => '' ); } @@ -382,6 +391,7 @@ sub checkauth { $cookie = $query->cookie( -name => 'CGISESSID', -value => $sessionID, + -HttpOnly => 1, -expires => '' ); print $query->header( -- 2.39.5