tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

ENHANCEMENT Limiting "alc_enc" cookie (remember login token) to httpOnly to reduce risk of information exposure through XSS

Browse Source 
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@86027 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer 2009-09-10 03:23:31 +00:00
parent 8fbf530bf6
commit 2700d73e97
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
security/Member.php
View File

@ -217,7 +217,8 @@ class Member extends DataObject {
if($remember) {
$token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($this->ID));
$this->RememberLoginToken = $token;
Cookie::set('alc_enc', $this->ID . ':' . $token);
// Set cookie (with HTTPOnly flag if running on PHP 5.2 or newer)
Cookie::set('alc_enc', $this->ID . ':' . $token, 90, null, null, null, true);
} else {
$this->RememberLoginToken = null;
Cookie::set('alc_enc', null);
@ -284,7 +285,7 @@ class Member extends DataObject {
$token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($member->ID));
$member->RememberLoginToken = $token;
Cookie::set('alc_enc', $member->ID . ':' . $token);
Cookie::set('alc_enc', $member->ID . ':' . $token, 90, null, null, null, true);
$member->NumVisit++;
$member->write();