summaryrefslogtreecommitdiffstats
path: root/lib/private/User
diff options
context:
space:
mode:
authorRoeland Jago Douma <roeland@famdouma.nl>2018-09-28 15:06:48 +0200
committerRoeland Jago Douma <roeland@famdouma.nl>2018-09-28 16:44:37 +0200
commit9a7265babf8712b1fb0e61c2d735b85f29555272 (patch)
tree427d2b727c92f7e66c446aa117746d73e8c8f3bc /lib/private/User
parentdb50e11edf608b6225e253610f7435089824a2c2 (diff)
downloadnextcloud-server-9a7265babf8712b1fb0e61c2d735b85f29555272.tar.gz
nextcloud-server-9a7265babf8712b1fb0e61c2d735b85f29555272.zip
Make authenticated cookies lax
This protects our cookies a bit more. It makes sure that when a 3rdparty websites embededs a public alendar for example. That all the users see this in anonymous mode there. It adds a small helper function. In the future we can think about protecting other cookies like this as well. But for now this is sufficient to not have the user logged in at all when doing 3rdparty requests. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to 'lib/private/User')
-rw-r--r--lib/private/User/Session.php35
1 files changed, 31 insertions, 4 deletions
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index fbd6a0a78e3..5593e178ca3 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -869,11 +869,38 @@ class Session implements IUserSession, Emitter {
$webRoot = '/';
}
- $expires = $this->timeFactory->getTime() + $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
- setcookie('nc_username', $username, $expires, $webRoot, '', $secureCookie, true);
- setcookie('nc_token', $token, $expires, $webRoot, '', $secureCookie, true);
+ $maxAge = $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
+ \OC\Http\CookieHelper::setCookie(
+ 'nc_username',
+ $username,
+ $maxAge,
+ $webRoot,
+ '',
+ $secureCookie,
+ true,
+ \OC\Http\CookieHelper::SAMESITE_LAX
+ );
+ \OC\Http\CookieHelper::setCookie(
+ 'nc_token',
+ $token,
+ $maxAge,
+ $webRoot,
+ '',
+ $secureCookie,
+ true,
+ \OC\Http\CookieHelper::SAMESITE_LAX
+ );
try {
- setcookie('nc_session_id', $this->session->getId(), $expires, $webRoot, '', $secureCookie, true);
+ \OC\Http\CookieHelper::setCookie(
+ 'nc_session_id',
+ $this->session->getId(),
+ $maxAge,
+ $webRoot,
+ '',
+ $secureCookie,
+ true,
+ \OC\Http\CookieHelper::SAMESITE_LAX
+ );
} catch (SessionNotAvailableException $ex) {
// ignore
}