summaryrefslogtreecommitdiffstats
path: root/lib/private
diff options
context:
space:
mode:
authorChristoph Wurst <ChristophWurst@users.noreply.github.com>2018-10-02 10:28:05 +0200
committerGitHub <noreply@github.com>2018-10-02 10:28:05 +0200
commitd01905200aa2da5f6271815975500dc7f30fd050 (patch)
tree2fc241de2b46a3a6cf38da00f1381c68219bcaee /lib/private
parent5581e0e9eb512782d2bc1982639e5fb2ef7c910f (diff)
parent9a7265babf8712b1fb0e61c2d735b85f29555272 (diff)
downloadnextcloud-server-d01905200aa2da5f6271815975500dc7f30fd050.tar.gz
nextcloud-server-d01905200aa2da5f6271815975500dc7f30fd050.zip
Merge pull request #11433 from nextcloud/feature/all_lax_cookies2
Make authenticated cookies lax
Diffstat (limited to 'lib/private')
-rw-r--r--lib/private/Http/CookieHelper.php75
-rw-r--r--lib/private/User/Session.php35
2 files changed, 106 insertions, 4 deletions
diff --git a/lib/private/Http/CookieHelper.php b/lib/private/Http/CookieHelper.php
new file mode 100644
index 00000000000..91a8256dc1a
--- /dev/null
+++ b/lib/private/Http/CookieHelper.php
@@ -0,0 +1,75 @@
+<?php
+declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2018, Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @author Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OC\Http;
+
+class CookieHelper {
+
+ const SAMESITE_NONE = 0;
+ const SAMESITE_LAX = 1;
+ const SAMESITE_STRICT = 2;
+
+ public static function setCookie(string $name,
+ string $value = '',
+ int $maxAge = 0,
+ string $path = '',
+ string $domain = '',
+ bool $secure = false,
+ bool $httponly = false,
+ int $samesite = self::SAMESITE_NONE) {
+ $header = sprintf(
+ 'Set-Cookie: %s=%s',
+ $name,
+ urlencode($value)
+ );
+
+ if ($path !== '') {
+ $header .= sprintf('; Path=%s', $path);
+ }
+
+ if ($domain !== '') {
+ $header .= sprintf('; Domain=%s', $domain);
+ }
+
+ if ($maxAge > 0) {
+ $header .= sprintf('; Max-Age=%d', $maxAge);
+ }
+
+ if ($secure) {
+ $header .= '; Secure';
+ }
+
+ if ($httponly) {
+ $header .= '; HttpOnly';
+ }
+
+ if ($samesite === self::SAMESITE_LAX) {
+ $header .= '; SameSite=Lax';
+ } else if ($samesite === self::SAMESITE_STRICT) {
+ $header .= '; SameSite=Strict';
+ }
+
+ header($header, false);
+ }
+}
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index fbd6a0a78e3..5593e178ca3 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -869,11 +869,38 @@ class Session implements IUserSession, Emitter {
$webRoot = '/';
}
- $expires = $this->timeFactory->getTime() + $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
- setcookie('nc_username', $username, $expires, $webRoot, '', $secureCookie, true);
- setcookie('nc_token', $token, $expires, $webRoot, '', $secureCookie, true);
+ $maxAge = $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
+ \OC\Http\CookieHelper::setCookie(
+ 'nc_username',
+ $username,
+ $maxAge,
+ $webRoot,
+ '',
+ $secureCookie,
+ true,
+ \OC\Http\CookieHelper::SAMESITE_LAX
+ );
+ \OC\Http\CookieHelper::setCookie(
+ 'nc_token',
+ $token,
+ $maxAge,
+ $webRoot,
+ '',
+ $secureCookie,
+ true,
+ \OC\Http\CookieHelper::SAMESITE_LAX
+ );
try {
- setcookie('nc_session_id', $this->session->getId(), $expires, $webRoot, '', $secureCookie, true);
+ \OC\Http\CookieHelper::setCookie(
+ 'nc_session_id',
+ $this->session->getId(),
+ $maxAge,
+ $webRoot,
+ '',
+ $secureCookie,
+ true,
+ \OC\Http\CookieHelper::SAMESITE_LAX
+ );
} catch (SessionNotAvailableException $ex) {
// ignore
}