fix(core): add security flags to cookies (HttpOnly, secure)

Fixes #4525
2026-03-13 19:01:23 +00:00 · 2022-04-04 16:00:06 -04:00
parent f331211977
commit 0f3d7dc6bc
3 changed files with 10 additions and 21 deletions
--- a/SoObjects/SOGo/SOGoWebAuthenticator.m
+++ b/SoObjects/SOGo/SOGoWebAuthenticator.m
@@ -1,6 +1,6 @@
 /* SOGoWebAuthenticator.m - this file is part of SOGo
 *
- * Copyright (C) 2007-2014 Inverse inc.
+ * Copyright (C) 2007-2022 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -390,6 +390,7 @@
 {
  WOCookie *authCookie;
  NSString *cookieValue, *cookieString, *appName, *sessionKey, *userKey, *securedPassword;
+  BOOL isSecure;

  //
  // We create a new cookie - thus we create a new session
@@ -416,8 +417,14 @@
                           userKey, sessionKey];
  cookieValue = [NSString stringWithFormat: @"basic %@",
                          [cookieString stringByEncodingBase64]];
+  isSecure = [[[context serverURL] scheme] isEqualToString: @"https"];
  authCookie = [WOCookie cookieWithName: [self cookieNameInContext: context]
-                                  value: cookieValue];
+                                  value: cookieValue
+                                   path: nil
+                                 domain: nil
+                                expires: nil
+                               isSecure: isSecure
+                               httpOnly: YES];
  appName = [[context request] applicationName];
  [authCookie setPath: [NSString stringWithFormat: @"/%@/", appName]];
  
--- a/UI/WebServerResources/SOGoRootPage.js
+++ b/UI/WebServerResources/SOGoRootPage.js
@@ -7,11 +7,6 @@ function initLogin() {
    date.setTime(date.getTime() - 86400000);

    var href = $("connectForm").action.split("/");
-    var appName = href[href.length-2];
-
-    document.cookie = ("0xHIGHFLYxSOGo=discarded"
-                       + "; expires=" + date.toGMTString()
-                       + "; path=/" + appName + "/");

    var about = $("about");
    if (about) {
@@ -118,9 +113,7 @@ function onLoginCallback(http) {

        if (http.status == 200) {
            // Make sure browser's cookies are enabled
-            var loginCookie = readLoginCookie();
-
-            if (!loginCookie) {
+            if (navigator && !navigator.cookieEnabled) {
                SetLogMessage("errorMessage", _("cookiesNotEnabled"));
                submitBtn.disabled = false;
                return;
--- a/UI/WebServerResources/generic.js
+++ b/UI/WebServerResources/generic.js
@@ -2329,17 +2329,6 @@ function readCookie(name) {
    return foundCookie;
 }

-function readLoginCookie() {
-    var loginValues = null;
-    var cookie = readCookie("0xHIGHFLYxSOGo");
-    if (cookie && cookie.length > 8) {
-        var value = decodeURIComponent(cookie.substr(8));
-        loginValues = value.base64decode().split(":");
-    }
-
-    return loginValues;
-}
-
 /* logging widgets */
 function SetLogMessage(containerId, message, msgType) {
    var container = $(containerId);