BUGFIX Cookies set to a value other than NULL (effectively unsetting the cookie) will now use the httpOnly parameter by default for better XSS protection (from r101045)

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@101046 467b73ca-7a2a-4603-9d3b-597d59a354a9
2024-10-22 14:05:37 +02:00 · 2010-03-15 05:28:40 +00:00 · 2010-03-15 05:28:40 +00:00 · 470082d12d
commit 470082d12d
parent 5fc298cf1e
3 changed files with 8 additions and 8 deletions
--- a/core/Cookie.php
+++ b/core/Cookie.php
@ -22,15 +22,16 @@ class Cookie {
 		if(!headers_sent($file, $line)) {
 			$expiry = $expiryDays > 0 ? time()+(86400*$expiryDays) : 0;
 			$path = ($path) ? $path : Director::baseURL();
+
 			// Versions of PHP prior to 5.2 do not support the $httpOnly value
-			if(version_compare(phpversion(), 5.2, '<'))
+			if(version_compare(phpversion(), 5.2, '<')) {
 				setcookie($name, $value, $expiry, $path, $domain, $secure);
-			else
+			} else {
 				setcookie($name, $value, $expiry, $path, $domain, $secure, $httpOnly);
+			}
 		} else {
 			if(self::$report_errors) user_error("Cookie '$name' can't be set. The site started outputting was content at line $line in $file", E_USER_WARNING);
 		}
-		$_COOKIE[$name] = $value;
 	}
 	
 	/**
@ -54,4 +55,4 @@ class Cookie {
 	}
 }

-?>
+?>
--- a/core/control/Controller.php
+++ b/core/control/Controller.php
@ -81,7 +81,7 @@ class Controller extends RequestHandler {
 		if(Session::get('loggedInAs') && Security::database_is_ready()) {
 			$member = Member::currentUser();
 			if($member) {
-				if(!headers_sent()) Cookie::set("PastMember", true);
+				Cookie::set("PastMember", true, 90, null, null, false, true);
 				DB::query("UPDATE \"Member\" SET \"LastVisited\" = " . DB::getConn()->now() . " WHERE \"ID\" = $member->ID", null);
 			}
 		}
--- a/security/Member.php
+++ b/security/Member.php
@ -312,7 +312,6 @@ class Member extends DataObject {
 		if($remember) {
 			$token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($this->ID));
 			$this->RememberLoginToken = $token;
-			// Set cookie (with HTTPOnly flag if running on PHP 5.2 or newer)
 			Cookie::set('alc_enc', $this->ID . ':' . $token, 90, null, null, null, true);
 		} else {
 			$this->RememberLoginToken = null;
@ -378,11 +377,11 @@ class Member extends DataObject {
 				self::session_regenerate_id();
 				Session::set("loggedInAs", $member->ID);
 				// This lets apache rules detect whether the user has logged in
-				if(self::$login_marker_cookie) Cookie::set(self::$login_marker_cookie, 1, 0);
+				if(self::$login_marker_cookie) Cookie::set(self::$login_marker_cookie, 1, 0, null, null, false, true);

 				$token = substr(md5(uniqid(rand(), true)), 0, 49 - strlen($member->ID));
 				$member->RememberLoginToken = $token;
-				Cookie::set('alc_enc', $member->ID . ':' . $token, 90, null, null, null, true);
+				Cookie::set('alc_enc', $member->ID . ':' . $token, 90, null, null, false, true);

 				$member->NumVisit++;
 				$member->write();