Skip to content

bugzilla
bugzilla
Commit fe159209 authored by lpsolit%gmail.com's avatar lpsolit%gmail.com
Browse files
Options

Bug 449984: Login cookies should be created as SSL-only on installations that…

Bug 449984: Login cookies should be created as SSL-only on installations that require SSL - Patch by Fré©ric Buclin <LpSolit@gmail.com> r/a=mkanat
parent a2631d18
Hide whitespace changes
Inline Side-by-side
Showing with 18 additions and 15 deletions
Bugzilla/Auth/Persist/Cookie.pm
View file @ fe159209
...@@ -67,6 +67,9 @@ sub persist_login { ...@@ -67,6 +67,9 @@ sub persist_login {
VALUES (?, ?, ?, NOW())", VALUES (?, ?, ?, NOW())",
undef, $login_cookie, $user->id, $ip_addr); undef, $login_cookie, $user->id, $ip_addr);
# Prevent JavaScript from accessing login cookies.
my %cookieargs = ('-httponly' => 1);
# Remember cookie only if admin has told so # Remember cookie only if admin has told so
# or admin didn't forbid it and user told to remember. # or admin didn't forbid it and user told to remember.
if ( Bugzilla->params->{'rememberlogin'} eq 'on' || if ( Bugzilla->params->{'rememberlogin'} eq 'on' ||
...@@ -74,23 +77,23 @@ sub persist_login { ...@@ -74,23 +77,23 @@ sub persist_login {
$cgi->param('Bugzilla_remember') && $cgi->param('Bugzilla_remember') &&
$cgi->param('Bugzilla_remember') eq 'on') ) $cgi->param('Bugzilla_remember') eq 'on') )
{ {
$cgi->send_cookie(-name => 'Bugzilla_login', # Not a session cookie, so set an infinite expiry
-value => $user->id, $cookieargs{'-expires'} = 'Fri, 01-Jan-2038 00:00:00 GMT';
-httponly => 1,
-expires => 'Fri, 01-Jan-2038 00:00:00 GMT');
$cgi->send_cookie(-name => 'Bugzilla_logincookie',
-value => $login_cookie,
-httponly => 1,
-expires => 'Fri, 01-Jan-2038 00:00:00 GMT');
} }
else { if (Bugzilla->params->{'ssl'} ne 'never'
$cgi->send_cookie(-name => 'Bugzilla_login', && Bugzilla->params->{'sslbase'} ne '')
-value => $user->id, {
-httponly => 1); # Bugzilla->login will automatically redirect to https://,
$cgi->send_cookie(-name => 'Bugzilla_logincookie', # so it's safe to turn on the 'secure' bit.
-value => $login_cookie, $cookieargs{'-secure'} = 1;
-httponly => 1);
} }
$cgi->send_cookie(-name => 'Bugzilla_login',
-value => $user->id,
%cookieargs);
$cgi->send_cookie(-name => 'Bugzilla_logincookie',
-value => $login_cookie,
%cookieargs);
} }
sub logout { sub logout {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment