Add security flags to cookies (HttpOnly, secure)

Fixes #4525
2018-08-21 14:01:11 -04:00 · 2018-08-21 14:01:11 -04:00 · 828d773b49
parent 69c03e7479
commit 828d773b49
3 changed files with 12 additions and 21 deletions
--- a/1
+++ b/1
@ -7,6 +7,7 @@ New features
 Enhancements
 - [web] prohibit duplicate calendar categories in Preferences module
 - [web] added Romanian (ro) translation - thanks to Vasile Razvan Luca
+ - [web] add security flags to cookies (HttpOnly, secure) (#4525)
 - [core] enable Oracle OCI support for CentOS/RHEL v7

 Bug fixes
--- a/SoObjects/SOGo/SOGoWebAuthenticator.m
+++ b/SoObjects/SOGo/SOGoWebAuthenticator.m
@ -383,6 +383,7 @@
 {
  WOCookie *authCookie;
  NSString *cookieValue, *cookieString, *appName, *sessionKey, *userKey, *securedPassword;
+  BOOL isSecure;

  //
  // We create a new cookie - thus we create a new session
@ -409,8 +410,14 @@
                           userKey, sessionKey];
  cookieValue = [NSString stringWithFormat: @"basic %@",
                          [cookieString stringByEncodingBase64]];
+  isSecure = [[[context serverURL] scheme] isEqualToString: @"https"];
  authCookie = [WOCookie cookieWithName: [self cookieNameInContext: context]
-                                  value: cookieValue];
+                                  value: cookieValue
+                                   path: nil
+                                 domain: nil
+                                expires: nil
+                               isSecure: isSecure
+                               httpOnly: YES];
  appName = [[context request] applicationName];
  [authCookie setPath: [NSString stringWithFormat: @"/%@/", appName]];
  
--- a/UI/WebServerResources/js/Common/Authentication.service.js
+++ b/UI/WebServerResources/js/Common/Authentication.service.js
@ -57,18 +57,6 @@
    function getService($q, $http, $cookies, passwordPolicyConfig) {
      var service;

-      function readLoginCookie() {
-        var loginValues = null,
-            cookie = $cookies.get('0xHIGHFLYxSOGo'),
-            value;
-        if (cookie && cookie.length > 8) {
-          value = decodeURIComponent(cookie.substr(8));
-          loginValues = value.base64decode().split(':');
-        }
-
-        return loginValues;
-      }
-
      service = {
        login: function(data) {
          var d = $q.defer(),
@ -99,9 +87,8 @@
          }).then(function(response) {
            var data = response.data;
            // Make sure browser's cookies are enabled
-            var loginCookie = readLoginCookie();
-            if (!loginCookie) {
-              d.reject(l('cookiesNotEnabled'));
+            if (navigator && !navigator.cookieEnabled) {
+              d.reject({error: l('cookiesNotEnabled')});
            }
            else {
              // Check password policy
@ -145,7 +132,6 @@

        changePassword: function(newPassword) {
          var d = $q.defer(),
-              loginCookie = readLoginCookie(),
              xsrfCookie = $cookies.get('XSRF-TOKEN');

          $cookies.remove('XSRF-TOKEN', {path: '/SOGo/'});
@ -156,10 +142,7 @@
            headers: {
              'X-XSRF-TOKEN' : xsrfCookie
            },
-            data: {
-              userName: loginCookie[0],
-              password: loginCookie[1],
-              newPassword: newPassword }
+            data: { newPassword: newPassword }
          }).then(d.resolve, function(response) {
            var error,
                data = response.data,