Skip to content

Commit

Permalink
Issue #3092: change default of HTTPOnly to 1
Browse files Browse the repository at this point in the history 
Do not pass unneeded 'HTTPOnly => 1' to SetCookie()
  • Loading branch information
@bschmalhofer
bschmalhofer committed Mar 3, 2024
1 parent be7d774 commit bbf4572
Show file tree
Hide file tree
Showing 7 changed files with 57 additions and 74 deletions.
13 changes: 6 additions & 7 deletions Kernel/Modules/AdminCustomerUser.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -168,13 +168,12 @@ sub Run {
SessionName => $ConfigObject->Get('SessionName'),
);
$LayoutObject->SetCookie(
Key => 'SessionIDCookie',
Name => $SessionName,
Value => $NewSessionID,
Expires => $Expires,
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
HTTPOnly => 1,
Key => 'SessionIDCookie',
Name => $SessionName,
Value => $NewSessionID,
Expires => $Expires,
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
);

# log event
Expand Down
1 change: 0 additions & 1 deletion Kernel/Modules/AdminUser.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,6 @@ sub Run {
Expires => $Expires,
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
HTTPOnly => 1,
);

$Kernel::OM->ObjectsDiscard( Objects => ['Kernel::Output::HTML::Layout'] );
Expand Down
31 changes: 15 additions & 16 deletions Kernel/Output/HTML/Layout.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -740,12 +740,12 @@ sub Login {

# set a cookie tentatively for checking cookie support
$Self->SetCookie(
Key => 'OTOBOBrowserHasCookie',
Value => 1,
Expires => $Expires,
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
HTTPOnly => 1,
Key => 'OTOBOBrowserHasCookie',
Name => 'OTOBOBrowserHasCookie',
Value => 1,
Expires => $Expires,
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
);
}

Expand Down Expand Up @@ -4073,13 +4073,12 @@ sub CustomerLogin {

# set a cookie tentatively for checking cookie support
$Self->SetCookie(
Key => 'OTOBOBrowserHasCookie',
Name => 'OTOBOBrowserHasCookie',
Value => 1,
Expires => $Expires,
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
HTTPOnly => 1,
Key => 'OTOBOBrowserHasCookie',
Name => 'OTOBOBrowserHasCookie',
Value => 1,
Expires => $Expires,
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
);
}

Expand Down Expand Up @@ -6664,14 +6663,14 @@ sub UserInitialsGet {
Declare a cookie that should be sent out via the Set-Cookie HTTP header.
$ResponseObject->SetCookie(
RegisterInOM => 1, # 0|1, optional, default 0, whether $Kernel::OM->ObjectParamAdd() should be called
Key => 'ID', # name, determines order in which cookies are set when they have the same name
Name => 'Name', # optional, name of the cookie, the default is the value of 'Key'
Value => 123456, # value
Expires => '+3660s', # expires
Path => 'otobo/', # path optional, only allow cookie for given path, '/' will be prepended
Secure => 1, # secure optional, set secure attribute to disable cookie on HTTP (HTTPS only), default is off
HTTPOnly => 1, # httponly optional, sets httponly attribute of cookie to prevent access via JavaScript, default is off
RegisterInOM => 1, # 0|1, optional, default 0, whether $Kernel::OM->ObjectParamAdd() should be called
HTTPOnly => 1, # 1|'', optional, the default is 1, sets httponly attribute of cookie to prevent access via JavaScript
);
The attribute 'samesite' is set based on the SysConfig setting B<SessionSameSite>. The default is 'lax'.
Expand Down Expand Up @@ -6713,7 +6712,7 @@ sub SetCookie {
expires => $Param{Expires},
secure => $Param{Secure} || '',
samesite => $SameSite,
httponly => $Param{HTTPOnly} || '',
httponly => $Param{HTTPOnly} // 1,
path => '/' . ( $Param{Path} // '' ),
);

Expand Down
13 changes: 6 additions & 7 deletions Kernel/System/Auth/OpenIDConnect.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -376,13 +376,12 @@ sub PreAuth {

# store the RandomString as a CSRF cookie
$LayoutObject->SetCookie(
Key => 'OIDCCSRF',
Name => 'OIDCCSRF',
Value => $RandomString,
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $ConfigObject->Get('HttpType') eq 'https' ? 1 : undef,
HTTPOnly => 1,
Expires => '+' . $TTL . 's',
Key => 'OIDCCSRF',
Name => 'OIDCCSRF',
Value => $RandomString,
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $ConfigObject->Get('HttpType') eq 'https' ? 1 : undef,
Expires => '+' . $TTL . 's',
);

# add a nonce if configured
Expand Down
13 changes: 6 additions & 7 deletions Kernel/System/CustomerAuth/OpenIDConnect.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -287,13 +287,12 @@ sub PreAuth {

# store the RandomString as a CSRF cookie
$LayoutObject->SetCookie(
Key => 'OIDCCSRF',
Name => 'OIDCCSRF',
Value => $RandomString,
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $ConfigObject->Get('HttpType') eq 'https' ? 1 : undef,
HTTPOnly => 1,
Expires => '+' . $TTL . 's',
Key => 'OIDCCSRF',
Name => 'OIDCCSRF',
Value => $RandomString,
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $ConfigObject->Get('HttpType') eq 'https' ? 1 : undef,
Expires => '+' . $TTL . 's',
);

# add a nonce if configured
Expand Down
30 changes: 12 additions & 18 deletions Kernel/System/Web/InterfaceAgent.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -329,12 +329,12 @@ sub Content {
# tentatively set an useless cookie, for checking cookie support
my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
$LayoutObject->SetCookie(
Key => 'OTOBOBrowserHasCookie',
Value => 1,
Expires => $Expires,
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
HTTPOnly => 1,
Key => 'OTOBOBrowserHasCookie',
Name => 'OTOBOBrowserHasCookie',
Value => 1,
Expires => $Expires,
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
);

# redirect to alternate login
Expand Down Expand Up @@ -524,7 +524,6 @@ sub Content {
Expires => $Expires,
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
HTTPOnly => 1,
);
Kernel::Output::HTML::Layout->SetCookie(
RegisterInOM => 1,
Expand All @@ -534,7 +533,6 @@ sub Content {
Expires => '-1y',
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
HTTPOnly => 1,
);

# Check if Chat is active
Expand Down Expand Up @@ -643,7 +641,6 @@ sub Content {
Expires => '-1y',
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
HTTPOnly => 1,
);

$Kernel::OM->ObjectsDiscard( Objects => ['Kernel::Output::HTML::Layout'] );
Expand Down Expand Up @@ -892,12 +889,12 @@ sub Content {

# set a cookie tentatively for checking cookie support
$LayoutObject->SetCookie(
Key => 'OTOBOBrowserHasCookie',
Value => 1,
Expires => $Expires,
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
HTTPOnly => 1,
Key => 'OTOBOBrowserHasCookie',
Name => 'OTOBOBrowserHasCookie',
Value => 1,
Expires => $Expires,
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
);
}

Expand Down Expand Up @@ -951,7 +948,6 @@ sub Content {
Expires => '-1y',
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
HTTPOnly => 1,
);

# if the wrong scheme is used, delete also the "other" cookie - issue #251
Expand All @@ -973,7 +969,6 @@ sub Content {
Expires => '-1y',
Path => $ConfigObject->Get('ScriptAlias'),
Secure => '',
HTTPOnly => 1,
);
Kernel::Output::HTML::Layout->SetCookie(
RegisterInOM => 1,
Expand All @@ -983,7 +978,6 @@ sub Content {
Expires => '-1y',
Path => $ConfigObject->Get('ScriptAlias'),
Secure => 1,
HTTPOnly => 1,
);
}

Expand Down
30 changes: 12 additions & 18 deletions Kernel/System/Web/InterfaceCustomer.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -320,12 +320,12 @@ sub Content {
# tentatively set an useless cookie, for checking cookie support
my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
$LayoutObject->SetCookie(
Key => 'OTOBOBrowserHasCookie',
Value => 1,
Expires => $Expires,
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
HTTPOnly => 1,
Key => 'OTOBOBrowserHasCookie',
Name => 'OTOBOBrowserHasCookie',
Value => 1,
Expires => $Expires,
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
);

# redirect to alternate login
Expand Down Expand Up @@ -518,7 +518,6 @@ sub Content {
Expires => $Expires,
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
HTTPOnly => 1,
);

# delete the OTOBOBrowserHasCookie cookie
Expand All @@ -530,7 +529,6 @@ sub Content {
Expires => '-1y',
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
HTTPOnly => 1,
);

# redirect with new session id and old params
Expand Down Expand Up @@ -600,7 +598,6 @@ sub Content {
Expires => '-1y',
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
HTTPOnly => 1,
);

$Kernel::OM->ObjectsDiscard( Objects => ['Kernel::Output::HTML::Layout'] );
Expand Down Expand Up @@ -1048,12 +1045,12 @@ sub Content {

# set a cookie tentatively for checking cookie support
$LayoutObject->SetCookie(
Key => 'OTOBOBrowserHasCookie',
Value => 1,
Expires => $Expires,
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
HTTPOnly => 1,
Key => 'OTOBOBrowserHasCookie',
Name => 'OTOBOBrowserHasCookie',
Value => 1,
Expires => $Expires,
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
);
}

Expand Down Expand Up @@ -1107,7 +1104,6 @@ sub Content {
Expires => '-1y',
Path => $ConfigObject->Get('ScriptAlias'),
Secure => $CookieSecureAttribute,
HTTPOnly => 1,
);

# if the wrong scheme is used, delete also the "other" cookie - issue #251
Expand All @@ -1129,7 +1125,6 @@ sub Content {
Expires => '-1y',
Path => $ConfigObject->Get('ScriptAlias'),
Secure => '',
HTTPOnly => 1,
);

# delete the OTOBO session cookie
Expand All @@ -1141,7 +1136,6 @@ sub Content {
Expires => '-1y',
Path => $ConfigObject->Get('ScriptAlias'),
Secure => 1,
HTTPOnly => 1,
);
}

Expand Down

0 comments on commit bbf4572

Please sign in to comment.