Use "HTTPOnly" for cookies when logging out

This has no other reason than preventing some insane automated scanners from reporting this as security bug (which it obviously isn't as the cookie contains nothing of value) Thus it generally results in an happier Lukas and hopefully less reports to our support and security mail addresses...
author: Lukas Reschke <lukas@owncloud.com> 2015-01-14 11:20:53 +0100
committer: Lukas Reschke <lukas@owncloud.com> 2015-01-14 11:20:53 +0100
commit: a2e355a7fe99d094da79210ecf3fff4224f5a5df (patch)
tree: bc48a0294349a48516ec45e7526f093392a985a5 /lib/private/user/session.php
parent: 65ee2b1de88e490672067257a6a704a697d71e1e (diff)
download: nextcloud-server-a2e355a7fe99d094da79210ecf3fff4224f5a5df.tar.gz
nextcloud-server-a2e355a7fe99d094da79210ecf3fff4224f5a5df.zip
1 files changed, 13 insertions, 10 deletions
diff --git a/lib/private/user/session.php b/lib/private/user/session.php
index 3cd83aae52f..253d9bc7171 100644
--- a/lib/private/user/session.php
+++ b/lib/private/user/session.php
@@ -260,27 +260,30 @@ class Session implements IUserSession, Emitter {
 	 * @param string $token
 	 */
 	public function setMagicInCookie($username, $token) {
-		$secure_cookie = \OC_Config::getValue("forcessl", false); //TODO: DI for cookies and OC_Config
+		$secureCookie = \OC_Config::getValue("forcessl", false); //TODO: DI for cookies and OC_Config
 		$expires = time() + \OC_Config::getValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
-		setcookie("oc_username", $username, $expires, \OC::$WEBROOT, '', $secure_cookie);
-		setcookie("oc_token", $token, $expires, \OC::$WEBROOT, '', $secure_cookie, true);
-		setcookie("oc_remember_login", "1", $expires, \OC::$WEBROOT, '', $secure_cookie);
+		setcookie("oc_username", $username, $expires, \OC::$WEBROOT, '', $secureCookie, true);
+		setcookie("oc_token", $token, $expires, \OC::$WEBROOT, '', $secureCookie, true);
+		setcookie("oc_remember_login", "1", $expires, \OC::$WEBROOT, '', $secureCookie, true);
 	}
 
 	/**
 	 * Remove cookie for "remember username"
 	 */
 	public function unsetMagicInCookie() {
+		//TODO: DI for cookies and OC_Config
+		$secureCookie = \OC_Config::getValue('forcessl', false);
+
 		unset($_COOKIE["oc_username"]); //TODO: DI
 		unset($_COOKIE["oc_token"]);
 		unset($_COOKIE["oc_remember_login"]);
-		setcookie('oc_username', '', time() - 3600, \OC::$WEBROOT);
-		setcookie('oc_token', '', time() - 3600, \OC::$WEBROOT);
-		setcookie('oc_remember_login', '', time() - 3600, \OC::$WEBROOT);
+		setcookie('oc_username', '', time() - 3600, \OC::$WEBROOT, '',$secureCookie, true);
+		setcookie('oc_token', '', time() - 3600, \OC::$WEBROOT, '', $secureCookie, true);
+		setcookie('oc_remember_login', '', time() - 3600, \OC::$WEBROOT, '', $secureCookie, true);
 		// old cookies might be stored under /webroot/ instead of /webroot
 		// and Firefox doesn't like it!
-		setcookie('oc_username', '', time() - 3600, \OC::$WEBROOT . '/');
-		setcookie('oc_token', '', time() - 3600, \OC::$WEBROOT . '/');
-		setcookie('oc_remember_login', '', time() - 3600, \OC::$WEBROOT . '/');
+		setcookie('oc_username', '', time() - 3600, \OC::$WEBROOT . '/', '', $secureCookie, true);
+		setcookie('oc_token', '', time() - 3600, \OC::$WEBROOT . '/', '', $secureCookie, true);
+		setcookie('oc_remember_login', '', time() - 3600, \OC::$WEBROOT . '/', '', $secureCookie, true);
 	}
 }
author	Lukas Reschke <lukas@owncloud.com>	2015-01-14 11:20:53 +0100
committer	Lukas Reschke <lukas@owncloud.com>	2015-01-14 11:20:53 +0100
commit	a2e355a7fe99d094da79210ecf3fff4224f5a5df (patch)
tree	bc48a0294349a48516ec45e7526f093392a985a5 /lib/private/user/session.php
parent	65ee2b1de88e490672067257a6a704a697d71e1e (diff)
download	nextcloud-server-a2e355a7fe99d094da79210ecf3fff4224f5a5df.tar.gz nextcloud-server-a2e355a7fe99d094da79210ecf3fff4224f5a5df.zip