Ensure cookies have httponly and secure flags set

Jamie Snape · Jamie Snape · commit ee363e3be05e · 2014-12-11T23:27:39.000-05:00
diff --git a/core/AppController.php b/core/AppController.php
@@ -30,6 +30,7 @@
  */
 class AppController extends MIDAS_GlobalController
 {
+
     /** @var string */
     protected $coreWebroot;
 
@@ -104,11 +105,14 @@ public function preDispatch()
                 $user->setExpirationSeconds(60 * Zend_Registry::get('configGlobal')->session->lifetime);
             }
 
+            /** @var Zend_Controller_Request_Http $request */
+            $request = $this->getRequest();
+
             if ($user->Dao == null && $fc->getRequest()->getControllerName() != 'install'
             ) {
                 /** @var UserModel $userModel */
                 $userModel = MidasLoader::loadModel('User');
-                $cookieData = $this->getRequest()->getCookie('midasUtil');
+                $cookieData = $request->getCookie(MIDAS_USER_COOKIE_NAME);
 
                 if (!empty($cookieData)) {
                     $notifier = new MIDAS_Notifier(false, null);
@@ -152,7 +156,8 @@ public function preDispatch()
                 $this->logged = true;
                 $this->view->logged = true;
                 $this->view->userDao = $user->Dao;
-                $cookieData = $this->getRequest()->getCookie('recentItems'.$this->userSession->Dao->user_id);
+                $cookieName = hash('sha1', MIDAS_ITEM_COOKIE_NAME.$this->userSession->Dao->user_id);
+                $cookieData = $request->getCookie($cookieName);
                 $this->view->recentItems = array();
                 if (isset($cookieData) && file_exists(LOCAL_CONFIGS_PATH.'/database.local.ini')
                 ) { // check if midas installed
diff --git a/core/Bootstrap.php b/core/Bootstrap.php
@@ -44,16 +44,27 @@ protected function _initConfig()
     {
         // init language
         $configGlobal = new Zend_Config_Ini(APPLICATION_CONFIG, 'global', true);
-        if (isset($_COOKIE['lang'])) {
-            $configGlobal->application->lang = $_COOKIE['lang'];
+        if (isset($_COOKIE[MIDAS_LANGUAGE_COOKIE_NAME])) {
+            $configGlobal->application->lang = $_COOKIE[MIDAS_LANGUAGE_COOKIE_NAME];
         }
 
         if (isset($_GET['lang'])) {
-            if ($_GET['lang'] != 'en' && $_GET['lang'] != 'fr') {
-                $_GET['lang'] = 'en';
+            $language = $_GET['lang'];
+            if ($language !== 'en' && $language !== 'fr') {
+                $language = 'en';
             }
-            $configGlobal->application->lang = $_GET['lang'];
-            setcookie("lang", $_GET['lang'], time() + 60 * 60 * 24 * 30 * 20, '/'); // 30 days *20
+            $configGlobal->application->lang = $language;
+            $date = new DateTime();
+            $interval = new DateInterval('P1M');
+            setcookie(
+                MIDAS_LANGUAGE_COOKIE_NAME,
+                $language,
+                $date->add($interval)->getTimestamp(),
+                '/',
+                !empty($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $_SERVER['SERVER_NAME'],
+                (int) $configGlobal->get('cookie_secure', 1) === 1,
+                true
+            );
         }
 
         Zend_Registry::set('configGlobal', $configGlobal);
@@ -401,4 +412,17 @@ protected function _initREST()
         $restContexts = new REST_Controller_Action_Helper_RestContexts();
         Zend_Controller_Action_HelperBroker::addHelper($restContexts);
     }
+
+    /** Configure the session. */
+    protected function _initSession()
+    {
+        $this->bootstrap('Config');
+        $config = Zend_Registry::get('configGlobal');
+        $options = array(
+            'cookie_httponly' => true,
+            'cookie_secure' => (int) $config->get('cookie_secure', 1) === 1,
+            'gc_maxlifetime' => 600,
+        );
+        Zend_Session::setOptions($options);
+    }
 }
diff --git a/core/configs/application.ini b/core/configs/application.ini
@@ -21,6 +21,8 @@ dynamichelp = "1"
 password.prefix =
 ; outbound HTTP proxy to be used by PHP (empty for none)
 httpproxy =
+; require secure cookies
+cookie_secure = "0"
 ; show debug toolbar
 debug_toolbar = "0"
 
diff --git a/core/constant/core.php b/core/constant/core.php
@@ -93,3 +93,8 @@
 define('MIDAS_USER_PUBLIC', 0);
 define('MIDAS_USER_PRIVATE', 1);
 define('MIDAS_MAXIMUM_FOLDER_NUMBERS_PER_LEVEL', 1000);
+
+define('MIDAS_FEED_COOKIE_NAME', '7d35274374e65b9f96029ba04648cc6d4bd00371');
+define('MIDAS_ITEM_COOKIE_NAME', '5a4c76b5be3cecac6695e80232ba95921aeab03e');
+define('MIDAS_LANGUAGE_COOKIE_NAME', '78ee012e5b9b482f21f984208bf378caec116024');
+define('MIDAS_USER_COOKIE_NAME', '9afc792c9f51b69fa1aec4c41286ed3997f93c48');
diff --git a/core/controllers/FeedController.php b/core/controllers/FeedController.php
@@ -46,17 +46,26 @@ public function indexAction()
         $this->view->header = $this->t('Feed');
 
         if ($this->logged && !$this->isTestingEnv()) {
+            $cookieName = hash('sha1', MIDAS_FEED_COOKIE_NAME.$this->userSession->Dao->getKey());
+
+            /** @var Zend_Controller_Request_Http $request */
             $request = $this->getRequest();
-            $cookieData = $request->getCookie('newFeed'.$this->userSession->Dao->getKey());
+            $cookieData = $request->getCookie($cookieName);
+
             if (isset($cookieData) && is_numeric($cookieData)) {
                 $this->view->lastFeedVisit = $cookieData;
             }
+            $date = new DateTime();
+            $interval = new DateInterval('P1M');
             setcookie(
-                'newFeed'.$this->userSession->Dao->getKey(),
-                strtotime("now"),
-                time() + 60 * 60 * 24 * 300,
-                '/'
-            ); // 30 days
+                $cookieName,
+                $date->getTimestamp(),
+                $date->add($interval)->getTimestamp(),
+                '/',
+                $request->getHttpHost(),
+                (int) Zend_Registry::get('configGlobal')->get('cookie_secure', 1) === 1,
+                true
+            );
         }
 
         $this->addDynamicHelp(
diff --git a/core/controllers/ItemController.php b/core/controllers/ItemController.php
@@ -158,9 +158,12 @@ public function viewAction()
                 }
             }
         }
-        if ($this->logged) {
+        if ($this->logged && !$this->isTestingEnv()) {
+            $cookieName = hash('sha1', MIDAS_ITEM_COOKIE_NAME.$this->userSession->Dao->getKey());
+
+            /** @var Zend_Controller_Request_Http $request */
             $request = $this->getRequest();
-            $cookieData = $request->getCookie('recentItems'.$this->userSession->Dao->getKey());
+            $cookieData = $request->getCookie($cookieName);
             $recentItems = array();
             if (isset($cookieData)) {
                 $recentItems = unserialize($cookieData);
@@ -179,15 +182,17 @@ public function viewAction()
             }
             $recentItems = array_reverse($tmp);
             $recentItems[] = $itemDao->getKey();
-
-            if (!headers_sent()) {
-                setcookie(
-                    'recentItems'.$this->userSession->Dao->getKey(),
-                    serialize($recentItems),
-                    time() + 60 * 60 * 24 * 30,
-                    '/'
-                ); // 30 days
-            }
+            $date = new DateTime();
+            $interval = new DateInterval('P1M');
+            setcookie(
+                $cookieName,
+                serialize($recentItems),
+                $date->add($interval)->getTimestamp(),
+                '/',
+                $request->getHttpHost(),
+                (int) Zend_Registry::get('configGlobal')->get('cookie_secure', 1) === 1,
+                true
+            );
         }
 
         $this->Item->incrementViewCount($itemDao);
diff --git a/core/controllers/UserController.php b/core/controllers/UserController.php
@@ -151,7 +151,18 @@ public function logoutAction()
         session_start(); // we closed session before, must restart it to logout
         $this->userSession->Dao = null;
         Zend_Session::ForgetMe();
-        setcookie('midasUtil', null, time() + 60 * 60 * 24 * 30, '/'); // 30 days
+        $request = $this->getRequest();
+        $date = new DateTime();
+        $interval = new DateInterval('P1M');
+        setcookie(
+            MIDAS_USER_COOKIE_NAME,
+            null,
+            $date->sub($interval)->getTimestamp(),
+            '/',
+            $request->getHttpHost(),
+            (int) Zend_Registry::get('configGlobal')->get('cookie_secure', 1) === 1,
+            true
+        );
         $noRedirect = $this->getParam('noRedirect');
         if (isset($noRedirect)) {
             $this->disableView();
@@ -487,12 +498,18 @@ public function ajaxloginAction()
             if ($userDao->getSalt() == '') {
                 $passwordHash = $this->User->convertLegacyPasswordHash($userDao, $form->getValue('password'));
             }
+            $request = $this->getRequest();
+            $date = new DateTime();
+            $interval = new DateInterval('P1M');
             setcookie(
-                'midasUtil',
+                MIDAS_USER_COOKIE_NAME,
                 $userDao->getKey().'-'.$passwordHash,
-                time() + 60 * 60 * 24 * 30,
-                '/'
-            ); // 30 days
+                $date->add($interval)->getTimestamp(),
+                '/',
+                $request->getHttpHost(),
+                (int) Zend_Registry::get('configGlobal')->get('cookie_secure', 1) === 1,
+                true
+            );
             Zend_Session::start();
             $user = new Zend_Session_Namespace('Auth_User');
             $user->setExpirationSeconds(60 * Zend_Registry::get('configGlobal')->session->lifetime);
@@ -508,14 +525,15 @@ public function ajaxloginAction()
     /** Login action */
     public function loginAction()
     {
-        $this->Form->User->uri = $this->getRequest()->getRequestUri();
+        $request = $this->getRequest();
+        $this->Form->User->uri = $request->getRequestUri();
         $form = $this->Form->User->createLoginForm();
         $this->view->form = $this->getFormAsArray($form);
         $this->disableLayout();
         if ($this->_request->isPost()) {
             $this->disableView();
             $previousUri = $this->getParam('previousuri');
-            if ($form->isValid($this->getRequest()->getPost())) {
+            if ($form->isValid($request->getPost())) {
                 try {
                     $notifications = array(); // initialize first in case of exception
                     $notifications = Zend_Registry::get('notifier')->callback(
@@ -576,18 +594,29 @@ public function loginAction()
                         $passwordHash = $this->User->convertLegacyPasswordHash($userDao, $form->getValue('password'));
                     }
                     $remember = $form->getValue('remerberMe');
-                    if (!$authModule && isset($remember) && $remember == 1) {
-                        if (!$this->isTestingEnv()) {
+                    if (!$this->isTestingEnv()) {
+                        $date = new DateTime();
+                        $interval = new DateInterval('P1M');
+                        if (!$authModule && isset($remember) && $remember == 1) {
                             setcookie(
-                                'midasUtil',
+                                MIDAS_USER_COOKIE_NAME,
                                 $userDao->getKey().'-'.$passwordHash,
-                                time() + 60 * 60 * 24 * 30,
-                                '/'
-                            ); // 30 days
-                        }
-                    } else {
-                        if (!$this->isTestingEnv()) {
-                            setcookie('midasUtil', null, time() + 60 * 60 * 24 * 30, '/'); // 30 days
+                                $date->add($interval)->getTimestamp(),
+                                '/',
+                                $request->getHttpHost(),
+                                (int) Zend_Registry::get('configGlobal')->get('cookie_secure', 1) === 1,
+                                true
+                            );
+                        } else {
+                            setcookie(
+                                MIDAS_USER_COOKIE_NAME,
+                                null,
+                                $date->sub($interval)->getTimestamp(),
+                                '/',
+                                $request->getHttpHost(),
+                                (int) Zend_Registry::get('configGlobal')->get('cookie_secure', 1) === 1,
+                                true
+                            );
                             Zend_Session::start();
                             $user = new Zend_Session_Namespace('Auth_User');
                             $user->setExpirationSeconds(60 * Zend_Registry::get('configGlobal')->session->lifetime);
@@ -1286,7 +1315,18 @@ public function deleteAction()
                 session_start();
                 $this->userSession->Dao = null;
                 Zend_Session::ForgetMe();
-                setcookie('midasUtil', null, time() + 60 * 60 * 24 * 30, '/');
+                $request = $this->getRequest();
+                $date = new DateTime();
+                $interval = new DateInterval('P1M');
+                setcookie(
+                    MIDAS_USER_COOKIE_NAME,
+                    null,
+                    $date->sub($interval)->getTimestamp(),
+                    '/',
+                    $request->getHttpHost(),
+                    (int) Zend_Registry::get('configGlobal')->get('cookie_secure', 1) === 1,
+                    true
+                );
             }
         }
         $this->_helper->viewRenderer->setNoRender();
diff --git a/modules/googleauth/controllers/CallbackController.php b/modules/googleauth/controllers/CallbackController.php
@@ -191,13 +191,20 @@ protected function _createOrGetUser($info)
         }
 
         $userapi = $this->Userapi->getByAppAndUser('Default', $user);
+        $request = $this->getRequest();
+        $date = new DateTime();
+        $interval = new DateInterval('P1M');
         setcookie(
-            'midasUtil',
+            MIDAS_USER_COOKIE_NAME,
             'googleauth:'.$user->getKey().':'.md5($userapi->getApikey()),
-            time() + 60 * 60 * 24 * 30,
-            '/'
+            $date->add($interval)->getTimestamp(),
+            '/',
+            $request->getHttpHost(),
+            (int) Zend_Registry::get('configGlobal')->get('cookie_secure', 1) === 1,
+            true
         );
 
+
         return $user;
     }
 }
diff --git a/modules/javauploaddownload/controllers/UploadController.php b/modules/javauploaddownload/controllers/UploadController.php
@@ -206,9 +206,9 @@ public function javadestinationfolderAction()
         $this->disableLayout();
 
         if (Zend_Registry::get('configGlobal')->environment != 'testing') {
-            // give a week-long session cookie in case the download lasts a long time
+            // give a three day session cookie in case the download lasts a long time
             session_start();
-            $this->userSession->setExpirationSeconds(60 * 60 * 24 * 7);
+            $this->userSession->setExpirationSeconds(60 * max(60 * 24 * 3, Zend_Registry::get('configGlobal')->session->lifetime));
             session_write_close();
         }
 
diff --git a/modules/mfa/Notification.php b/modules/mfa/Notification.php
@@ -70,7 +70,7 @@ public function authIntercept($params)
             // write temp user into session for asynchronous confirmation
             Zend_Session::start();
             $userSession = new Zend_Session_Namespace('Mfa_Temp_User');
-            $userSession->setExpirationSeconds(600); // "limbo" state should invalidate after 10 minutes
+            $userSession->setExpirationSeconds(60 * min(10, Zend_Registry::get('configGlobal')->session->lifetime)); // "limbo" state should invalidate after 10 minutes
             $userSession->Dao = $user;
             $userSession->lock();
 
diff --git a/php.ini b/php.ini
@@ -1,3 +1,5 @@
 google_app_engine.allow_include_gs_buckets = "your-cloudstorage-bucket"
 google_app_engine.enable_functions = "php_sapi_name, phpversion"
+session.cookie_httponly = On
+session.cookie_secure = On
 session.gc_maxlifetime = 14400
