fix(core): add security flags to cookies (HttpOnly, secure)

Fixes #4525
2026-04-18 19:48:53 +00:00 · 2022-04-04 16:00:06 -04:00
parent f331211977
commit 0f3d7dc6bc
3 changed files with 10 additions and 21 deletions
--- a/SoObjects/SOGo/SOGoWebAuthenticator.m
+++ b/SoObjects/SOGo/SOGoWebAuthenticator.m
@@ -1,6 +1,6 @@
 /* SOGoWebAuthenticator.m - this file is part of SOGo
 *
- * Copyright (C) 2007-2014 Inverse inc.
+ * Copyright (C) 2007-2022 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -390,6 +390,7 @@
 {
  WOCookie *authCookie;
  NSString *cookieValue, *cookieString, *appName, *sessionKey, *userKey, *securedPassword;
+  BOOL isSecure;

  //
  // We create a new cookie - thus we create a new session
@@ -416,8 +417,14 @@
                           userKey, sessionKey];
  cookieValue = [NSString stringWithFormat: @"basic %@",
                          [cookieString stringByEncodingBase64]];
+  isSecure = [[[context serverURL] scheme] isEqualToString: @"https"];
  authCookie = [WOCookie cookieWithName: [self cookieNameInContext: context]
-                                  value: cookieValue];
+                                  value: cookieValue
+                                   path: nil
+                                 domain: nil
+                                expires: nil
+                               isSecure: isSecure
+                               httpOnly: YES];
  appName = [[context request] applicationName];
  [authCookie setPath: [NSString stringWithFormat: @"/%@/", appName]];