[geeklog-cvs] geeklog: The session and password cookies are now created with t...
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Fri Sep 11 11:54:42 EDT 2009
details: http://project.geeklog.net/cgi-bin/hgweb.cgi/rev/1e19b2c8a8cf
changeset: 7302:1e19b2c8a8cf
user: Dirk Haun <dirk at haun-online.de>
date: Fri Sep 11 13:03:06 2009 +0200
description:
The session and password cookies are now created with the HttpOnly flag set to make it somewhat harder to read them from JavaScript (requires browser support)
diffstat:
public_html/admin/auth.inc.php | 7 +++----
public_html/docs/history | 3 +++
public_html/users.php | 23 +++++++----------------
public_html/usersettings.php | 15 ++++++---------
system/lib-security.php | 45 +++++++++++++++++++++++++++++++++++++++++++++
system/lib-sessions.php | 6 +++---
6 files changed, 67 insertions(+), 32 deletions(-)
diffs (179 lines):
diff -r 8689bd624973 -r 1e19b2c8a8cf public_html/admin/auth.inc.php
--- a/public_html/admin/auth.inc.php Thu Sep 10 13:36:34 2009 +0200
+++ b/public_html/admin/auth.inc.php Fri Sep 11 13:03:06 2009 +0200
@@ -77,9 +77,8 @@
// They want their cookie to persist for some amount of time so set it now
- setcookie($_CONF['cookie_name'], $_USER['uid'],
- time() + $cooktime, $_CONF['cookie_path'],
- $_CONF['cookiedomain'], $_CONF['cookiesecure']);
+ SEC_setCookie($_CONF['cookie_name'], $_USER['uid'],
+ time() + $cooktime);
}
}
if (!SEC_hasRights('story.edit,block.edit,topic.edit,user.edit,plugin.edit,syndication.edit','OR')) {
@@ -112,7 +111,7 @@
.'</tr>'.LB
.'<tr>'.LB
.'<td align="right">'.$LANG20[5].' </td>'.LB
- .'<td><input type="password" name="passwd" size="16" maxlength="16"' . XHTML . '></td>'
+ .'<td><input type="password" name="passwd" size="16"' . XHTML . '></td>'
.'</tr>'.LB
.'<tr>'.LB
.'<td colspan="2" align="center" class="warning">'.$LANG20[6].'<input type="hidden" name="warn" value="1"' . XHTML . '>'
diff -r 8689bd624973 -r 1e19b2c8a8cf public_html/docs/history
--- a/public_html/docs/history Thu Sep 10 13:36:34 2009 +0200
+++ b/public_html/docs/history Fri Sep 11 13:03:06 2009 +0200
@@ -3,6 +3,9 @@
Oct ??, 2009 (1.6.1)
------------
+- The session and password cookies are now created with the HttpOnly flag set
+ to make it somewhat harder to read them from JavaScript (requires browser
+ support) [Dirk]
- Fixed visibility of the "Send Ping" links in the Story Admin's list of stories
and the Story Options block [Dirk]
- The install script was switching back to English in some upgrade scenarios
diff -r 8689bd624973 -r 1e19b2c8a8cf public_html/users.php
--- a/public_html/users.php Thu Sep 10 13:36:34 2009 +0200
+++ b/public_html/users.php Fri Sep 11 13:03:06 2009 +0200
@@ -847,15 +847,9 @@
SESS_endUserSession ($_USER['uid']);
PLG_logoutUser ($_USER['uid']);
}
- setcookie ($_CONF['cookie_session'], '', time() - 10000,
- $_CONF['cookie_path'], $_CONF['cookiedomain'],
- $_CONF['cookiesecure']);
- setcookie ($_CONF['cookie_password'], '', time() - 10000,
- $_CONF['cookie_path'], $_CONF['cookiedomain'],
- $_CONF['cookiesecure']);
- setcookie ($_CONF['cookie_name'], '', time() - 10000,
- $_CONF['cookie_path'], $_CONF['cookiedomain'],
- $_CONF['cookiesecure']);
+ SEC_setCookie($_CONF['cookie_session'], '', time() - 10000);
+ SEC_setCookie($_CONF['cookie_password'], '', time() - 10000);
+ SEC_setCookie($_CONF['cookie_name'], '', time() - 10000);
$display = COM_refresh($_CONF['site_url'] . '/index.php?msg=8');
break;
@@ -1157,13 +1151,10 @@
if ($VERBOSE) {
COM_errorLog('Trying to set permanent cookie',1);
}
- setcookie ($_CONF['cookie_name'], $_USER['uid'],
- time() + $cooktime, $_CONF['cookie_path'],
- $_CONF['cookiedomain'], $_CONF['cookiesecure']);
- setcookie ($_CONF['cookie_password'],
- SEC_encryptPassword($passwd), time() + $cooktime,
- $_CONF['cookie_path'], $_CONF['cookiedomain'],
- $_CONF['cookiesecure']);
+ SEC_setCookie($_CONF['cookie_name'], $_USER['uid'],
+ time() + $cooktime);
+ SEC_setCookie($_CONF['cookie_password'],
+ SEC_encryptPassword($passwd), time() + $cooktime);
}
} else {
$userid = $_COOKIE[$_CONF['cookie_name']];
diff -r 8689bd624973 -r 1e19b2c8a8cf public_html/usersettings.php
--- a/public_html/usersettings.php Thu Sep 10 13:36:34 2009 +0200
+++ b/public_html/usersettings.php Fri Sep 11 13:03:06 2009 +0200
@@ -1005,9 +1005,8 @@
} else {
$cooktime = -1000;
}
- setcookie($_CONF['cookie_password'], $passwd, time() + $cooktime,
- $_CONF['cookie_path'], $_CONF['cookiedomain'],
- $_CONF['cookiesecure']);
+ SEC_setCookie($_CONF['cookie_password'], $passwd,
+ time() + $cooktime);
} elseif (SEC_encryptPassword($A['old_passwd']) != $current_password) {
return COM_refresh ($_CONF['site_url']
. '/usersettings.php?msg=68');
@@ -1023,13 +1022,11 @@
if ($A['cooktime'] <= 0) {
$cooktime = 1000;
- setcookie ($_CONF['cookie_name'], $_USER['uid'], time() - $cooktime,
- $_CONF['cookie_path'], $_CONF['cookiedomain'],
- $_CONF['cookiesecure']);
+ SEC_setCookie($_CONF['cookie_name'], $_USER['uid'],
+ time() - $cooktime);
} else {
- setcookie ($_CONF['cookie_name'], $_USER['uid'],
- time() + $A['cooktime'], $_CONF['cookie_path'],
- $_CONF['cookiedomain'], $_CONF['cookiesecure']);
+ SEC_setCookie($_CONF['cookie_name'], $_USER['uid'],
+ time() + $A['cooktime']);
}
if ($_CONF['allow_user_photo'] == 1) {
diff -r 8689bd624973 -r 1e19b2c8a8cf system/lib-security.php
--- a/system/lib-security.php Thu Sep 10 13:36:34 2009 +0200
+++ b/system/lib-security.php Fri Sep 11 13:03:06 2009 +0200
@@ -1177,4 +1177,49 @@
return $return;
}
+/**
+* Set a cookie using the HttpOnly flag
+*
+* Use this function to set "important" cookies (session, password, ...).
+* Browsers that support the HttpOnly flag will not allow JavaScript access
+* to such a cookie.
+*
+* @param string $name cookie name
+* @param string $value cookie value
+* @param int $expire expire time
+* @param string $path path on the server or $_CONF['cookie_path']
+* @param string $domain domain or $_CONF['cookiedomain']
+* @param bool $secure whether to use HTTPS or $_CONF['cookiesecure']
+* @link http://blog.mattmecham.com/2006/09/12/http-only-cookies-without-php-52/
+*
+*/
+function SEC_setCookie($name, $value, $expire = 0, $path = null, $domain = null, $secure = null)
+{
+ global $_CONF;
+
+ $retval = false;
+
+ if ($path === null) {
+ $path = $_CONF['cookie_path'];
+ }
+ if ($domain === null) {
+ $domain = $_CONF['cookiedomain'];
+ }
+ if ($secure === null) {
+ $secure = $_CONF['cookiesecure'];
+ }
+
+ // the httponly parameter is only available as of PHP 5.2.0
+ if (version_compare(PHP_VERSION, '5.2.0', '>=')) {
+ $retval = setcookie($name, $value, $expire, $path, $domain, $secure,
+ true);
+ } else {
+ // fake it for older PHP versions; kudos to Matt Mecham
+ $retval = setcookie($name, $value, $expire, $path,
+ $domain . '; httponly', $secure);
+ }
+
+ return $retval;
+}
+
?>
diff -r 8689bd624973 -r 1e19b2c8a8cf system/lib-sessions.php
--- a/system/lib-sessions.php Thu Sep 10 13:36:34 2009 +0200
+++ b/system/lib-sessions.php Fri Sep 11 13:03:06 2009 +0200
@@ -321,9 +321,9 @@
COM_errorLog ("Setting session cookie: setcookie($cookiename, $sessid, 0, $cookiepath, $cookiedomain, $cookiesecure);", 1);
}
- if (setcookie ($cookiename, $sessid, 0, $cookiepath, $cookiedomain,
- $cookiesecure) === false) {
- COM_errorLog ('Failed to set session cookie.', 1);
+ if (SEC_setCookie($cookiename, $sessid, 0, $cookiepath, $cookiedomain,
+ $cookiesecure) === false) {
+ COM_errorLog('Failed to set session cookie.', 1);
}
}
More information about the geeklog-cvs
mailing list