mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-09-30 05:09:06 +02:00
parent
14784f06d8
commit
114b0a5ea7
@ -705,6 +705,20 @@ SilverStripe\Control\Session:
|
|||||||
cookie_secure: true
|
cookie_secure: true
|
||||||
```
|
```
|
||||||
|
|
||||||
|
The same treatment should be applied to the cookie responsible for remembering logins across sessions:
|
||||||
|
|
||||||
|
```yml
|
||||||
|
---
|
||||||
|
Name: secure-alc
|
||||||
|
Except:
|
||||||
|
environment: dev
|
||||||
|
---
|
||||||
|
SilverStripe\Core\Injector\Injector:
|
||||||
|
SilverStripe\Security\MemberAuthenticator\CookieAuthenticationHandler:
|
||||||
|
properties:
|
||||||
|
TokenCookieSecure: true
|
||||||
|
```
|
||||||
|
|
||||||
For other cookies set by your application we should also ensure the users are provided with secure cookies by setting
|
For other cookies set by your application we should also ensure the users are provided with secure cookies by setting
|
||||||
the "Secure" and "HTTPOnly" flags. These flags prevent them from being stolen by an attacker through javascript.
|
the "Secure" and "HTTPOnly" flags. These flags prevent them from being stolen by an attacker through javascript.
|
||||||
|
|
||||||
|
@ -27,6 +27,11 @@ class CookieAuthenticationHandler implements AuthenticationHandler
|
|||||||
*/
|
*/
|
||||||
private $tokenCookieName;
|
private $tokenCookieName;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var boolean
|
||||||
|
*/
|
||||||
|
private $tokenCookieSecure = false;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @var IdentityStore
|
* @var IdentityStore
|
||||||
*/
|
*/
|
||||||
@ -76,6 +81,28 @@ class CookieAuthenticationHandler implements AuthenticationHandler
|
|||||||
return $this;
|
return $this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Get the name of the cookie used to store an login token
|
||||||
|
*
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getTokenCookieSecure()
|
||||||
|
{
|
||||||
|
return $this->tokenCookieSecure;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Set cookie with HTTPS only flag
|
||||||
|
*
|
||||||
|
* @param string $tokenCookieSecure
|
||||||
|
* @return $this
|
||||||
|
*/
|
||||||
|
public function setTokenCookieSecure($tokenCookieSecure)
|
||||||
|
{
|
||||||
|
$this->tokenCookieSecure = $tokenCookieSecure;
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Once a member is found by authenticateRequest() pass it to this identity store
|
* Once a member is found by authenticateRequest() pass it to this identity store
|
||||||
*
|
*
|
||||||
@ -128,11 +155,11 @@ class CookieAuthenticationHandler implements AuthenticationHandler
|
|||||||
|
|
||||||
/** @var RememberLoginHash $rememberLoginHash */
|
/** @var RememberLoginHash $rememberLoginHash */
|
||||||
$rememberLoginHash = RememberLoginHash::get()
|
$rememberLoginHash = RememberLoginHash::get()
|
||||||
->filter(array(
|
->filter([
|
||||||
'MemberID' => $member->ID,
|
'MemberID' => $member->ID,
|
||||||
'DeviceID' => $deviceID,
|
'DeviceID' => $deviceID,
|
||||||
'Hash' => $hash
|
'Hash' => $hash,
|
||||||
))->first();
|
])->first();
|
||||||
if (!$rememberLoginHash) {
|
if (!$rememberLoginHash) {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
@ -189,13 +216,14 @@ class CookieAuthenticationHandler implements AuthenticationHandler
|
|||||||
$rememberLoginHash = RememberLoginHash::generate($member);
|
$rememberLoginHash = RememberLoginHash::generate($member);
|
||||||
$tokenExpiryDays = RememberLoginHash::config()->uninherited('token_expiry_days');
|
$tokenExpiryDays = RememberLoginHash::config()->uninherited('token_expiry_days');
|
||||||
$deviceExpiryDays = RememberLoginHash::config()->uninherited('device_expiry_days');
|
$deviceExpiryDays = RememberLoginHash::config()->uninherited('device_expiry_days');
|
||||||
|
$secure = $this->getTokenCookieSecure();
|
||||||
Cookie::set(
|
Cookie::set(
|
||||||
$this->getTokenCookieName(),
|
$this->getTokenCookieName(),
|
||||||
$member->ID . ':' . $rememberLoginHash->getToken(),
|
$member->ID . ':' . $rememberLoginHash->getToken(),
|
||||||
$tokenExpiryDays,
|
$tokenExpiryDays,
|
||||||
null,
|
null,
|
||||||
null,
|
null,
|
||||||
null,
|
$secure,
|
||||||
true
|
true
|
||||||
);
|
);
|
||||||
Cookie::set(
|
Cookie::set(
|
||||||
@ -204,7 +232,7 @@ class CookieAuthenticationHandler implements AuthenticationHandler
|
|||||||
$deviceExpiryDays,
|
$deviceExpiryDays,
|
||||||
null,
|
null,
|
||||||
null,
|
null,
|
||||||
null,
|
$secure,
|
||||||
true
|
true
|
||||||
);
|
);
|
||||||
} else {
|
} else {
|
||||||
@ -220,7 +248,7 @@ class CookieAuthenticationHandler implements AuthenticationHandler
|
|||||||
{
|
{
|
||||||
$member = Security::getCurrentUser();
|
$member = Security::getCurrentUser();
|
||||||
if ($member) {
|
if ($member) {
|
||||||
RememberLoginHash::clear($member, Cookie::get('alc_device'));
|
RememberLoginHash::clear($member, Cookie::get($this->getDeviceCookieName()));
|
||||||
}
|
}
|
||||||
$this->clearCookies();
|
$this->clearCookies();
|
||||||
|
|
||||||
@ -236,9 +264,10 @@ class CookieAuthenticationHandler implements AuthenticationHandler
|
|||||||
*/
|
*/
|
||||||
protected function clearCookies()
|
protected function clearCookies()
|
||||||
{
|
{
|
||||||
Cookie::set($this->getTokenCookieName(), null);
|
$secure = $this->getTokenCookieSecure();
|
||||||
Cookie::set($this->getDeviceCookieName(), null);
|
Cookie::set($this->getTokenCookieName(), null, null, null, null, $secure);
|
||||||
Cookie::force_expiry($this->getTokenCookieName());
|
Cookie::set($this->getDeviceCookieName(), null, null, null, null, $secure);
|
||||||
Cookie::force_expiry($this->getDeviceCookieName());
|
Cookie::force_expiry($this->getTokenCookieName(), null, null, null, null, $secure);
|
||||||
|
Cookie::force_expiry($this->getDeviceCookieName(), null, null, null, null, $secure);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user