diff options
author | Roeland Jago Douma <roeland@famdouma.nl> | 2018-09-28 15:06:48 +0200 |
---|---|---|
committer | Roeland Jago Douma <roeland@famdouma.nl> | 2018-09-28 16:44:37 +0200 |
commit | 9a7265babf8712b1fb0e61c2d735b85f29555272 (patch) | |
tree | 427d2b727c92f7e66c446aa117746d73e8c8f3bc /lib/private/User | |
parent | db50e11edf608b6225e253610f7435089824a2c2 (diff) | |
download | nextcloud-server-9a7265babf8712b1fb0e61c2d735b85f29555272.tar.gz nextcloud-server-9a7265babf8712b1fb0e61c2d735b85f29555272.zip |
Make authenticated cookies lax
This protects our cookies a bit more. It makes sure that when a 3rdparty
websites embededs a public alendar for example. That all the users see
this in anonymous mode there.
It adds a small helper function.
In the future we can think about protecting other cookies like this as
well. But for now this is sufficient to not have the user logged in at
all when doing 3rdparty requests.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to 'lib/private/User')
-rw-r--r-- | lib/private/User/Session.php | 35 |
1 files changed, 31 insertions, 4 deletions
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index fbd6a0a78e3..5593e178ca3 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -869,11 +869,38 @@ class Session implements IUserSession, Emitter { $webRoot = '/'; } - $expires = $this->timeFactory->getTime() + $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15); - setcookie('nc_username', $username, $expires, $webRoot, '', $secureCookie, true); - setcookie('nc_token', $token, $expires, $webRoot, '', $secureCookie, true); + $maxAge = $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15); + \OC\Http\CookieHelper::setCookie( + 'nc_username', + $username, + $maxAge, + $webRoot, + '', + $secureCookie, + true, + \OC\Http\CookieHelper::SAMESITE_LAX + ); + \OC\Http\CookieHelper::setCookie( + 'nc_token', + $token, + $maxAge, + $webRoot, + '', + $secureCookie, + true, + \OC\Http\CookieHelper::SAMESITE_LAX + ); try { - setcookie('nc_session_id', $this->session->getId(), $expires, $webRoot, '', $secureCookie, true); + \OC\Http\CookieHelper::setCookie( + 'nc_session_id', + $this->session->getId(), + $maxAge, + $webRoot, + '', + $secureCookie, + true, + \OC\Http\CookieHelper::SAMESITE_LAX + ); } catch (SessionNotAvailableException $ex) { // ignore } |