From 828d773b49283a5f91bf628b846586d533ad483c Mon Sep 17 00:00:00 2001 From: Francis Lachapelle Date: Tue, 21 Aug 2018 14:01:11 -0400 Subject: [PATCH] Add security flags to cookies (HttpOnly, secure) Fixes #4525 --- NEWS | 1 + SoObjects/SOGo/SOGoWebAuthenticator.m | 9 +++++++- .../js/Common/Authentication.service.js | 23 +++---------------- 3 files changed, 12 insertions(+), 21 deletions(-) diff --git a/NEWS b/NEWS index 0fee8ec22..58edcbed3 100644 --- a/NEWS +++ b/NEWS @@ -7,6 +7,7 @@ New features Enhancements - [web] prohibit duplicate calendar categories in Preferences module - [web] added Romanian (ro) translation - thanks to Vasile Razvan Luca + - [web] add security flags to cookies (HttpOnly, secure) (#4525) - [core] enable Oracle OCI support for CentOS/RHEL v7 Bug fixes diff --git a/SoObjects/SOGo/SOGoWebAuthenticator.m b/SoObjects/SOGo/SOGoWebAuthenticator.m index a677aa8dc..7833c7e23 100644 --- a/SoObjects/SOGo/SOGoWebAuthenticator.m +++ b/SoObjects/SOGo/SOGoWebAuthenticator.m @@ -383,6 +383,7 @@ { WOCookie *authCookie; NSString *cookieValue, *cookieString, *appName, *sessionKey, *userKey, *securedPassword; + BOOL isSecure; // // We create a new cookie - thus we create a new session @@ -409,8 +410,14 @@ userKey, sessionKey]; cookieValue = [NSString stringWithFormat: @"basic %@", [cookieString stringByEncodingBase64]]; + isSecure = [[[context serverURL] scheme] isEqualToString: @"https"]; authCookie = [WOCookie cookieWithName: [self cookieNameInContext: context] - value: cookieValue]; + value: cookieValue + path: nil + domain: nil + expires: nil + isSecure: isSecure + httpOnly: YES]; appName = [[context request] applicationName]; [authCookie setPath: [NSString stringWithFormat: @"/%@/", appName]]; diff --git a/UI/WebServerResources/js/Common/Authentication.service.js b/UI/WebServerResources/js/Common/Authentication.service.js index 100b3ccbc..343837fab 100644 --- a/UI/WebServerResources/js/Common/Authentication.service.js +++ b/UI/WebServerResources/js/Common/Authentication.service.js @@ -57,18 +57,6 @@ function getService($q, $http, $cookies, passwordPolicyConfig) { var service; - function readLoginCookie() { - var loginValues = null, - cookie = $cookies.get('0xHIGHFLYxSOGo'), - value; - if (cookie && cookie.length > 8) { - value = decodeURIComponent(cookie.substr(8)); - loginValues = value.base64decode().split(':'); - } - - return loginValues; - } - service = { login: function(data) { var d = $q.defer(), @@ -99,9 +87,8 @@ }).then(function(response) { var data = response.data; // Make sure browser's cookies are enabled - var loginCookie = readLoginCookie(); - if (!loginCookie) { - d.reject(l('cookiesNotEnabled')); + if (navigator && !navigator.cookieEnabled) { + d.reject({error: l('cookiesNotEnabled')}); } else { // Check password policy @@ -145,7 +132,6 @@ changePassword: function(newPassword) { var d = $q.defer(), - loginCookie = readLoginCookie(), xsrfCookie = $cookies.get('XSRF-TOKEN'); $cookies.remove('XSRF-TOKEN', {path: '/SOGo/'}); @@ -156,10 +142,7 @@ headers: { 'X-XSRF-TOKEN' : xsrfCookie }, - data: { - userName: loginCookie[0], - password: loginCookie[1], - newPassword: newPassword } + data: { newPassword: newPassword } }).then(d.resolve, function(response) { var error, data = response.data,