Merge pull request #11433 from nextcloud/feature/all_lax_cookies2

Make authenticated cookies lax
This commit is contained in:
Christoph Wurst 2018-10-02 10:28:05 +02:00 committed by GitHub
commit d01905200a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 108 additions and 4 deletions

View file

@ -800,6 +800,7 @@ return array(
'OC\\Http\\Client\\Client' => $baseDir . '/lib/private/Http/Client/Client.php',
'OC\\Http\\Client\\ClientService' => $baseDir . '/lib/private/Http/Client/ClientService.php',
'OC\\Http\\Client\\Response' => $baseDir . '/lib/private/Http/Client/Response.php',
'OC\\Http\\CookieHelper' => $baseDir . '/lib/private/Http/CookieHelper.php',
'OC\\Installer' => $baseDir . '/lib/private/Installer.php',
'OC\\IntegrityCheck\\Checker' => $baseDir . '/lib/private/IntegrityCheck/Checker.php',
'OC\\IntegrityCheck\\Exceptions\\InvalidSignatureException' => $baseDir . '/lib/private/IntegrityCheck/Exceptions/InvalidSignatureException.php',

View file

@ -830,6 +830,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
'OC\\Http\\Client\\Client' => __DIR__ . '/../../..' . '/lib/private/Http/Client/Client.php',
'OC\\Http\\Client\\ClientService' => __DIR__ . '/../../..' . '/lib/private/Http/Client/ClientService.php',
'OC\\Http\\Client\\Response' => __DIR__ . '/../../..' . '/lib/private/Http/Client/Response.php',
'OC\\Http\\CookieHelper' => __DIR__ . '/../../..' . '/lib/private/Http/CookieHelper.php',
'OC\\Installer' => __DIR__ . '/../../..' . '/lib/private/Installer.php',
'OC\\IntegrityCheck\\Checker' => __DIR__ . '/../../..' . '/lib/private/IntegrityCheck/Checker.php',
'OC\\IntegrityCheck\\Exceptions\\InvalidSignatureException' => __DIR__ . '/../../..' . '/lib/private/IntegrityCheck/Exceptions/InvalidSignatureException.php',

View file

@ -0,0 +1,75 @@
<?php
declare(strict_types=1);
/**
* @copyright Copyright (c) 2018, Roeland Jago Douma <roeland@famdouma.nl>
*
* @author Roeland Jago Douma <roeland@famdouma.nl>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\Http;
class CookieHelper {
const SAMESITE_NONE = 0;
const SAMESITE_LAX = 1;
const SAMESITE_STRICT = 2;
public static function setCookie(string $name,
string $value = '',
int $maxAge = 0,
string $path = '',
string $domain = '',
bool $secure = false,
bool $httponly = false,
int $samesite = self::SAMESITE_NONE) {
$header = sprintf(
'Set-Cookie: %s=%s',
$name,
urlencode($value)
);
if ($path !== '') {
$header .= sprintf('; Path=%s', $path);
}
if ($domain !== '') {
$header .= sprintf('; Domain=%s', $domain);
}
if ($maxAge > 0) {
$header .= sprintf('; Max-Age=%d', $maxAge);
}
if ($secure) {
$header .= '; Secure';
}
if ($httponly) {
$header .= '; HttpOnly';
}
if ($samesite === self::SAMESITE_LAX) {
$header .= '; SameSite=Lax';
} else if ($samesite === self::SAMESITE_STRICT) {
$header .= '; SameSite=Strict';
}
header($header, false);
}
}

View file

@ -869,11 +869,38 @@ class Session implements IUserSession, Emitter {
$webRoot = '/';
}
$expires = $this->timeFactory->getTime() + $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
setcookie('nc_username', $username, $expires, $webRoot, '', $secureCookie, true);
setcookie('nc_token', $token, $expires, $webRoot, '', $secureCookie, true);
$maxAge = $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
\OC\Http\CookieHelper::setCookie(
'nc_username',
$username,
$maxAge,
$webRoot,
'',
$secureCookie,
true,
\OC\Http\CookieHelper::SAMESITE_LAX
);
\OC\Http\CookieHelper::setCookie(
'nc_token',
$token,
$maxAge,
$webRoot,
'',
$secureCookie,
true,
\OC\Http\CookieHelper::SAMESITE_LAX
);
try {
setcookie('nc_session_id', $this->session->getId(), $expires, $webRoot, '', $secureCookie, true);
\OC\Http\CookieHelper::setCookie(
'nc_session_id',
$this->session->getId(),
$maxAge,
$webRoot,
'',
$secureCookie,
true,
\OC\Http\CookieHelper::SAMESITE_LAX
);
} catch (SessionNotAvailableException $ex) {
// ignore
}