Skip to content
This repository has been archived by the owner on Nov 3, 2023. It is now read-only.

Security hardening: Set secure cookie flag when using SSL #8474

Closed
wants to merge 1 commit into from
Closed

Security hardening: Set secure cookie flag when using SSL #8474

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion system/modules/core/classes/Frontend.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -549,7 +549,7 @@ protected function getLoginStatus($strCookie)
$_SESSION['TL_USER_LOGGED_IN'] = false; // backwards compatibility

// Remove the cookie if it is invalid to enable loading cached pages
$this->setCookie($strCookie, $hash, (time() - 86400), null, null, false, true);
$this->setCookie($strCookie, $hash, (time() - 86400), null, null, (\Environment::get('ssl')) ? true : false, true);

return false;
}
Expand Down
6 changes: 3 additions & 3 deletions system/modules/core/classes/FrontendUser.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ public function authenticate()
}

// Remove the cookie if it is invalid to enable loading cached pages
$this->setCookie('FE_AUTO_LOGIN', $strCookie, (time() - 86400), null, null, false, true);
$this->setCookie('FE_AUTO_LOGIN', $strCookie, (time() - 86400), null, null, (\Environment::get('ssl')) ? true : false, true);
}

return false;
Expand Down Expand Up @@ -220,7 +220,7 @@ public function login()
$this->autologin = $strToken;
$this->save();

$this->setCookie('FE_AUTO_LOGIN', $strToken, ($time + \Config::get('autologin')), null, null, false, true);
$this->setCookie('FE_AUTO_LOGIN', $strToken, ($time + \Config::get('autologin')), null, null, (\Environment::get('ssl')) ? true : false, true);
}

return true;
Expand Down Expand Up @@ -249,7 +249,7 @@ public function logout()
}

// Remove the auto login cookie
$this->setCookie('FE_AUTO_LOGIN', $this->autologin, (time() - 86400), null, null, false, true);
$this->setCookie('FE_AUTO_LOGIN', $this->autologin, (time() - 86400), null, null, (\Environment::get('ssl')) ? true : false, true);

return true;
}
Expand Down
8 changes: 4 additions & 4 deletions system/modules/core/classes/RebuildIndex.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ public function run()
$this->Automator->purgeSearchTables();

// Hide unpublished elements
$this->setCookie('FE_PREVIEW', 0, ($time - 86400));
$this->setCookie('FE_PREVIEW', 0, ($time - 86400), null, null, (\Environment::get('ssl')) ? true : false);

// Calculate the hash
$strHash = sha1(session_id() . (!\Config::get('disableIpCheck') ? \Environment::get('ip') : '') . 'FE_USER_AUTH');
Expand All @@ -108,15 +108,15 @@ public function run()
->execute(\Input::get('user'), $time, 'FE_USER_AUTH', session_id(), \Environment::get('ip'), $strHash);

// Set the cookie
$this->setCookie('FE_USER_AUTH', $strHash, ($time + \Config::get('sessionTimeout')), null, null, false, true);
$this->setCookie('FE_USER_AUTH', $strHash, ($time + \Config::get('sessionTimeout')), null, null, (\Environment::get('ssl')) ? true : false, true);
}

// Log out the front end user
else
{
// Unset the cookies
$this->setCookie('FE_USER_AUTH', $strHash, ($time - 86400), null, null, false, true);
$this->setCookie('FE_AUTO_LOGIN', \Input::cookie('FE_AUTO_LOGIN'), ($time - 86400), null, null, false, true);
$this->setCookie('FE_USER_AUTH', $strHash, ($time - 86400), null, null, (\Environment::get('ssl')) ? true : false, true);
$this->setCookie('FE_AUTO_LOGIN', \Input::cookie('FE_AUTO_LOGIN'), ($time - 86400), null, null, (\Environment::get('ssl')) ? true : false, true);
}

$strBuffer = '';
Expand Down
2 changes: 1 addition & 1 deletion system/modules/core/classes/StyleSheets.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1326,7 +1326,7 @@ public function importStyleSheet()
}

// Redirect
\System::setCookie('BE_PAGE_OFFSET', 0, 0);
\System::setCookie('BE_PAGE_OFFSET', 0, 0, null, null, (\Environment::get('ssl')) ? true : false);
$this->redirect(str_replace('&key=import', '', \Environment::get('request')));
}

Expand Down
2 changes: 1 addition & 1 deletion system/modules/core/classes/Theme.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -685,7 +685,7 @@ protected function extractThemeFiles($arrFiles, $arrDbFields)
unset($tl_files, $tl_theme, $tl_style_sheet, $tl_style, $tl_module, $tl_layout, $tl_image_size, $tl_image_size_item);
}

\System::setCookie('BE_PAGE_OFFSET', 0, 0);
\System::setCookie('BE_PAGE_OFFSET', 0, 0, null, null, (\Environment::get('ssl')) ? true : false);
$this->Session->remove('uploaded_themes');

// Redirect
Expand Down
2 changes: 1 addition & 1 deletion system/modules/core/controllers/BackendInstall.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -821,7 +821,7 @@ protected function setAuthCookie()
{
$_SESSION['TL_INSTALL_EXPIRE'] = (time() + 300);
$_SESSION['TL_INSTALL_AUTH'] = md5(uniqid(mt_rand(), true) . (!\Config::get('disableIpCheck') ? \Environment::get('ip') : '') . session_id());
$this->setCookie('TL_INSTALL_AUTH', $_SESSION['TL_INSTALL_AUTH'], $_SESSION['TL_INSTALL_EXPIRE'], null, null, false, true);
$this->setCookie('TL_INSTALL_AUTH', $_SESSION['TL_INSTALL_AUTH'], $_SESSION['TL_INSTALL_EXPIRE'], null, null, (\Environment::get('ssl')) ? true : false, true);
}


Expand Down
2 changes: 1 addition & 1 deletion system/modules/core/controllers/BackendPreview.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ public function run()
->execute($objUser->id, time(), 'FE_USER_AUTH', session_id(), \Environment::get('ip'), $strHash);

// Set the cookie
$this->setCookie('FE_USER_AUTH', $strHash, (time() + \Config::get('sessionTimeout')), null, null, false, true);
$this->setCookie('FE_USER_AUTH', $strHash, (time() + \Config::get('sessionTimeout')), null, null, (\Environment::get('ssl')) ? true : false, true);
$objTemplate->user = \Input::post('user');
}
}
Expand Down
8 changes: 4 additions & 4 deletions system/modules/core/controllers/BackendSwitch.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,14 +78,14 @@ public function run()
// Hide unpublished elements
if (\Input::post('unpublished') == 'hide')
{
$this->setCookie('FE_PREVIEW', 0, ($time - 86400));
$this->setCookie('FE_PREVIEW', 0, ($time - 86400), null, null, (\Environment::get('ssl')) ? true : false);
$objTemplate->show = 0;
}

// Show unpublished elements
else
{
$this->setCookie('FE_PREVIEW', 1, ($time + \Config::get('sessionTimeout')));
$this->setCookie('FE_PREVIEW', 1, ($time + \Config::get('sessionTimeout')), null, null, (\Environment::get('ssl')) ? true : false);
$objTemplate->show = 1;
}

Expand All @@ -108,7 +108,7 @@ public function run()
->execute($objUser->id, $time, 'FE_USER_AUTH', session_id(), \Environment::get('ip'), $strHash);

// Set the cookie
$this->setCookie('FE_USER_AUTH', $strHash, ($time + \Config::get('sessionTimeout')), null, null, false, true);
$this->setCookie('FE_USER_AUTH', $strHash, ($time + \Config::get('sessionTimeout')), null, null, (\Environment::get('ssl')) ? true : false, true);
$objTemplate->user = \Input::post('user');
}
}
Expand All @@ -117,7 +117,7 @@ public function run()
else
{
// Remove cookie
$this->setCookie('FE_USER_AUTH', $strHash, ($time - 86400), null, null, false, true);
$this->setCookie('FE_USER_AUTH', $strHash, ($time - 86400), null, null, (\Environment::get('ssl')) ? true : false, true);
$objTemplate->user = '';
}
}
Expand Down
2 changes: 1 addition & 1 deletion system/modules/core/drivers/DC_File.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -340,7 +340,7 @@ public function edit()
if (\Input::post('saveNclose'))
{
\Message::reset();
\System::setCookie('BE_PAGE_OFFSET', 0, 0);
\System::setCookie('BE_PAGE_OFFSET', 0, 0, null, null, (\Environment::get('ssl')) ? true : false);
$this->redirect($this->getReferer());
}

Expand Down
6 changes: 3 additions & 3 deletions system/modules/core/drivers/DC_Folder.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1326,7 +1326,7 @@ public function edit()
if (\Input::post('saveNclose'))
{
\Message::reset();
\System::setCookie('BE_PAGE_OFFSET', 0, 0);
\System::setCookie('BE_PAGE_OFFSET', 0, 0, null, null, (\Environment::get('ssl')) ? true : false);
$this->redirect($this->getReferer());
}

Expand Down Expand Up @@ -1605,7 +1605,7 @@ public function editAll()
{
if (\Input::post('saveNclose'))
{
\System::setCookie('BE_PAGE_OFFSET', 0, 0);
\System::setCookie('BE_PAGE_OFFSET', 0, 0, null, null, (\Environment::get('ssl')) ? true : false);
$this->redirect($this->getReferer());
}

Expand Down Expand Up @@ -1798,7 +1798,7 @@ public function source()

if (\Input::post('saveNclose'))
{
\System::setCookie('BE_PAGE_OFFSET', 0, 0);
\System::setCookie('BE_PAGE_OFFSET', 0, 0, null, null, (\Environment::get('ssl')) ? true : false);
$this->redirect($this->getReferer());
}

Expand Down
12 changes: 6 additions & 6 deletions system/modules/core/drivers/DC_Table.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2089,14 +2089,14 @@ public function edit($intId=null, $ajaxId=null)
if (isset($_POST['saveNclose']))
{
\Message::reset();
\System::setCookie('BE_PAGE_OFFSET', 0, 0);
\System::setCookie('BE_PAGE_OFFSET', 0, 0, null, null, (\Environment::get('ssl')) ? true : false);

$this->redirect($this->getReferer());
}
elseif (isset($_POST['saveNedit']))
{
\Message::reset();
\System::setCookie('BE_PAGE_OFFSET', 0, 0);
\System::setCookie('BE_PAGE_OFFSET', 0, 0, null, null, (\Environment::get('ssl')) ? true : false);

$strUrl = $this->addToUrl($GLOBALS['TL_DCA'][$this->strTable]['list']['operations']['edit']['href'], false);
$strUrl = preg_replace('/&(amp;)?(s2e|act|mode|pid)=[^&]*/i', '', $strUrl);
Expand All @@ -2106,7 +2106,7 @@ public function edit($intId=null, $ajaxId=null)
elseif (isset($_POST['saveNback']))
{
\Message::reset();
\System::setCookie('BE_PAGE_OFFSET', 0, 0);
\System::setCookie('BE_PAGE_OFFSET', 0, 0, null, null, (\Environment::get('ssl')) ? true : false);

if ($this->ptable == '')
{
Expand All @@ -2125,7 +2125,7 @@ public function edit($intId=null, $ajaxId=null)
elseif (isset($_POST['saveNcreate']))
{
\Message::reset();
\System::setCookie('BE_PAGE_OFFSET', 0, 0);
\System::setCookie('BE_PAGE_OFFSET', 0, 0, null, null, (\Environment::get('ssl')) ? true : false);

$strUrl = TL_SCRIPT . '?do=' . \Input::get('do');

Expand Down Expand Up @@ -2480,7 +2480,7 @@ public function editAll($intId=null, $ajaxId=null)
{
if (\Input::post('saveNclose'))
{
\System::setCookie('BE_PAGE_OFFSET', 0, 0);
\System::setCookie('BE_PAGE_OFFSET', 0, 0, null, null, (\Environment::get('ssl')) ? true : false);
$this->redirect($this->getReferer());
}

Expand Down Expand Up @@ -2789,7 +2789,7 @@ public function overrideAll()
{
if (\Input::post('saveNclose'))
{
\System::setCookie('BE_PAGE_OFFSET', 0, 0);
\System::setCookie('BE_PAGE_OFFSET', 0, 0, null, null, (\Environment::get('ssl')) ? true : false);
$this->redirect($this->getReferer());
}

Expand Down
2 changes: 1 addition & 1 deletion system/modules/core/elements/ContentTable.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ protected function compile()

if (\Input::cookie($co) == '')
{
\System::setCookie($co, $i . '|' . $so, 0);
\System::setCookie($co, $i . '|' . $so, 0, null, null, (\Environment::get('ssl')) ? true : false);
}
}

Expand Down
6 changes: 3 additions & 3 deletions system/modules/core/library/Contao/User.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -279,7 +279,7 @@ public function authenticate()
$this->Database->prepare("UPDATE tl_session SET tstamp=$time WHERE hash=?")
->execute($this->strHash);

$this->setCookie($this->strCookie, $this->strHash, ($time + \Config::get('sessionTimeout')), null, null, false, true);
$this->setCookie($this->strCookie, $this->strHash, ($time + \Config::get('sessionTimeout')), null, null, (\Environment::get('ssl')) ? true : false, true);

// HOOK: post authenticate callback
if (isset($GLOBALS['TL_HOOKS']['postAuthenticate']) && is_array($GLOBALS['TL_HOOKS']['postAuthenticate']))
Expand Down Expand Up @@ -568,7 +568,7 @@ protected function generateSession()
->execute($this->intId, $time, $this->strCookie, session_id(), $this->strIp, $this->strHash);

// Set the authentication cookie
$this->setCookie($this->strCookie, $this->strHash, ($time + \Config::get('sessionTimeout')), null, null, false, true);
$this->setCookie($this->strCookie, $this->strHash, ($time + \Config::get('sessionTimeout')), null, null, (\Environment::get('ssl')) ? true : false, true);

// Set the login status (backwards compatibility)
$_SESSION['TL_USER_LOGGED_IN'] = true;
Expand Down Expand Up @@ -609,7 +609,7 @@ public function logout()
->execute($this->strHash);

// Remove cookie and hash
$this->setCookie($this->strCookie, $this->strHash, ($time - 86400), null, null, false, true);
$this->setCookie($this->strCookie, $this->strHash, ($time - 86400), null, null, (\Environment::get('ssl')) ? true : false, true);
$this->strHash = '';

// Destroy the current session
Expand Down
4 changes: 2 additions & 2 deletions system/modules/core/pages/PageRegular.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,11 +207,11 @@ protected function getPageLayout($objPage)
{
if (\Input::get('toggle_view') == 'mobile')
{
$this->setCookie('TL_VIEW', 'mobile', 0);
$this->setCookie('TL_VIEW', 'mobile', 0, null, null, (\Environment::get('ssl')) ? true : false);
}
else
{
$this->setCookie('TL_VIEW', 'desktop', 0);
$this->setCookie('TL_VIEW', 'desktop', 0, null, null, (\Environment::get('ssl')) ? true : false);
}

$this->redirect($this->getReferer());
Expand Down
2 changes: 1 addition & 1 deletion system/modules/core/widgets/ListWizard.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -229,7 +229,7 @@ public function importList(\DataContainer $dc)
$this->Database->prepare("UPDATE " . $dc->table . " SET listitems=? WHERE id=?")
->execute(serialize($arrList), \Input::get('id'));

\System::setCookie('BE_PAGE_OFFSET', 0, 0);
\System::setCookie('BE_PAGE_OFFSET', 0, 0, null, null, (\Environment::get('ssl')) ? true : false);
$this->redirect(str_replace('&key=list', '', \Environment::get('request')));
}

Expand Down
2 changes: 1 addition & 1 deletion system/modules/core/widgets/TableWizard.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -311,7 +311,7 @@ public function importTable(\DataContainer $dc)
$this->Database->prepare("UPDATE " . $dc->table . " SET tableitems=? WHERE id=?")
->execute(serialize($arrTable), \Input::get('id'));

\System::setCookie('BE_PAGE_OFFSET', 0, 0);
\System::setCookie('BE_PAGE_OFFSET', 0, 0, null, null, (\Environment::get('ssl')) ? true : false);
$this->redirect(str_replace('&key=table', '', \Environment::get('request')));
}

Expand Down
2 changes: 1 addition & 1 deletion system/modules/newsletter/classes/Newsletter.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -521,7 +521,7 @@ public function importRecipients()
\Message::addInfo(sprintf($GLOBALS['TL_LANG']['tl_newsletter_recipients']['invalid'], $intInvalid));
}

\System::setCookie('BE_PAGE_OFFSET', 0, 0);
\System::setCookie('BE_PAGE_OFFSET', 0, 0, null, null, (\Environment::get('ssl')) ? true : false);
$this->reload();
}

Expand Down