diff options
| author | lpsolit%gmail.com <> | 2008-08-27 08:08:50 +0200 |
|---|---|---|
| committer | lpsolit%gmail.com <> | 2008-08-27 08:08:50 +0200 |
| commit | fe1592095525f8622fcbceae6ae926634c096ec3 (patch) | |
| tree | 3c040ce51b0e12cb8b0dc12e0f13b9acee9847dc | |
| parent | a2631d18069f099eb5133c4484c9b80ff2a3f547 (diff) | |
| download | bugzilla-fe1592095525f8622fcbceae6ae926634c096ec3.tar.gz bugzilla-fe1592095525f8622fcbceae6ae926634c096ec3.tar.xz | |
Bug 449984: Login cookies should be created as SSL-only on installations that require SSL - Patch by Frédéric Buclin <LpSolit@gmail.com> r/a=mkanat
| -rw-r--r-- | Bugzilla/Auth/Persist/Cookie.pm | 33 |
1 files changed, 18 insertions, 15 deletions
diff --git a/Bugzilla/Auth/Persist/Cookie.pm b/Bugzilla/Auth/Persist/Cookie.pm index 4928068e5..9098f8989 100644 --- a/Bugzilla/Auth/Persist/Cookie.pm +++ b/Bugzilla/Auth/Persist/Cookie.pm @@ -67,6 +67,9 @@ sub persist_login { VALUES (?, ?, ?, NOW())", undef, $login_cookie, $user->id, $ip_addr); + # Prevent JavaScript from accessing login cookies. + my %cookieargs = ('-httponly' => 1); + # Remember cookie only if admin has told so # or admin didn't forbid it and user told to remember. if ( Bugzilla->params->{'rememberlogin'} eq 'on' || @@ -74,23 +77,23 @@ sub persist_login { $cgi->param('Bugzilla_remember') && $cgi->param('Bugzilla_remember') eq 'on') ) { - $cgi->send_cookie(-name => 'Bugzilla_login', - -value => $user->id, - -httponly => 1, - -expires => 'Fri, 01-Jan-2038 00:00:00 GMT'); - $cgi->send_cookie(-name => 'Bugzilla_logincookie', - -value => $login_cookie, - -httponly => 1, - -expires => 'Fri, 01-Jan-2038 00:00:00 GMT'); + # Not a session cookie, so set an infinite expiry + $cookieargs{'-expires'} = 'Fri, 01-Jan-2038 00:00:00 GMT'; } - else { - $cgi->send_cookie(-name => 'Bugzilla_login', - -value => $user->id, - -httponly => 1); - $cgi->send_cookie(-name => 'Bugzilla_logincookie', - -value => $login_cookie, - -httponly => 1); + if (Bugzilla->params->{'ssl'} ne 'never' + && Bugzilla->params->{'sslbase'} ne '') + { + # Bugzilla->login will automatically redirect to https://, + # so it's safe to turn on the 'secure' bit. + $cookieargs{'-secure'} = 1; } + + $cgi->send_cookie(-name => 'Bugzilla_login', + -value => $user->id, + %cookieargs); + $cgi->send_cookie(-name => 'Bugzilla_logincookie', + -value => $login_cookie, + %cookieargs); } sub logout { |