Author: Mikael Falkvidd <[email protected]> Date: Tue Jun 3 16:03:15 2014 +0200 Committer: Lars Michelsen <[email protected]> Commit-Date: Thu Jun 5 18:27:37 2014 +0200
Add support for secure and httponly cookies Most modern browsers will deny javascript access to cookies if the HttpOnly flag is set. This prevents XSS attacks from stealing cookies. Default is off to not break any existing installations that rely on this functionality. Most modern browsers will prevent cookies from being sent unencrypted if the Secure flag is set. Default is off since not all Nagvis installations require HTTPS. More information on these cookie flags is available at http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly Change-Id: I2e06489f301fd3845ee30a3e0e908b14ff46a45d Signed-off-by: Lars Michelsen <[email protected]> --- docs/en_US/nagvis_config_format_description.html | 6 ++++++ etc/nagvis.ini.php-sample | 9 +++++++++ share/server/core/classes/CoreSessionHandler.php | 6 ++++-- share/server/core/classes/GlobalMainCfg.php | 12 ++++++++++++ 4 files changed, 31 insertions(+), 2 deletions(-) diff --git a/docs/en_US/nagvis_config_format_description.html b/docs/en_US/nagvis_config_format_description.html index 3af980b..fda95ba 100644 --- a/docs/en_US/nagvis_config_format_description.html +++ b/docs/en_US/nagvis_config_format_description.html @@ -226,6 +226,12 @@ <td>sesscookieduration</td><td>86400</td><td>Lifetime of the NagVis session cookie in seconds. The default value is set to 24 hours. The value of the NagVis session cookie contains will be renewed on every page visit. If a session is idle for more time than configured here it will become invalid.</td> </tr> <tr> + <td>sesscookiehttponly</td><td>0</td><td>Most modern browsers will deny javascript access to cookies if the HttpOnly flag is set. This prevents XSS attacks from stealing cookies. Default is off to not break any existing installations that rely on this functionality. Set to 1 to enable.</td> + </tr> + <tr> + <td>sesscookiesecure</td><td>0</td><td>Most modern browsers will prevent cookies from being sent unencrypted if the Secure flag is set. Default is off since not all Nagvis installations require HTTPS. Set to 1 to enable.</td> + </tr> + <tr> <td>startmodule</td><td>overview</td><td>The default module to show when none is given by the user</td> </tr> <tr> diff --git a/etc/nagvis.ini.php-sample b/etc/nagvis.ini.php-sample index 6dd280a..eea1334 100644 --- a/etc/nagvis.ini.php-sample +++ b/etc/nagvis.ini.php-sample @@ -163,6 +163,15 @@ ; visit. If a session is idle for more time than configured here it will become ; invalid. ;sesscookieduration="86400" +; Most modern browsers will deny javascript access to cookies if the HttpOnly +; flag is set. This prevents XSS attacks from stealing cookies. Default is off +; to not break any existing installations that rely on this functionality. Set +; to 1 to enable. +;sesscookiehttponly=0 +; Most modern browsers will prevent cookies from being sent unencrypted if the +; Secure flag is set. Default is off since not all Nagvis installations require +; HTTPS. Set to 1 to enable. +;sesscookiesecure=0 ; ; Start page to redirect the user to when first visiting NagVis without ; special parameters. diff --git a/share/server/core/classes/CoreSessionHandler.php b/share/server/core/classes/CoreSessionHandler.php index 8c3dff6..b5f685d 100644 --- a/share/server/core/classes/CoreSessionHandler.php +++ b/share/server/core/classes/CoreSessionHandler.php @@ -34,6 +34,8 @@ class CoreSessionHandler { $sDomain = cfg('global', 'sesscookiedomain'); $sPath = cfg('global', 'sesscookiepath'); $iDuration = cfg('global', 'sesscookieduration'); + $bSecure = cfg('global', 'sesscookiesecure'); + $bHTTPOnly = cfg('global', 'sesscookiehttponly'); // Set the session name (used in params/cookie names) session_name(SESSION_NAME); @@ -49,7 +51,7 @@ class CoreSessionHandler { $sDomain = null; // Set custom params for the session cookie - session_set_cookie_params(0, $sPath, $sDomain); + session_set_cookie_params(0, $sPath, $sDomain, $bSecure, $bHTTPOnly); // Start a session for the user when not started yet if(!isset($_SESSION)) { @@ -78,7 +80,7 @@ class CoreSessionHandler { // the half of the expiration time has passed if(time() >= $this->get('sessionExpires') - ($iDuration/2)) { $exp = time() + $iDuration; - setcookie(SESSION_NAME, $_COOKIE[SESSION_NAME], $exp, $sPath, $sDomain); + setcookie(SESSION_NAME, $_COOKIE[SESSION_NAME], $exp, $sPath, $sDomain, $bSecure, $bHTTPOnly); // Store the update time of the session cookie $this->set('sessionExpires', $exp); diff --git a/share/server/core/classes/GlobalMainCfg.php b/share/server/core/classes/GlobalMainCfg.php index 5bde493..60ece08 100644 --- a/share/server/core/classes/GlobalMainCfg.php +++ b/share/server/core/classes/GlobalMainCfg.php @@ -273,6 +273,18 @@ class GlobalMainCfg { 'editable' => 1, 'default' => '86400', 'match' => MATCH_STRING), + 'sesscookiesecure' => Array( + 'must' => 0, + 'editable' => 1, + 'default' => '0', + 'match' => MATCH_BOOLEAN + ), + 'sesscookiehttponly' => Array( + 'must' => 0, + 'editable' => 1, + 'default' => '0', + 'match' => MATCH_BOOLEAN + ), 'shinken_features' => Array('must' => 1, 'editable' => 1, 'default' => '0', ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech _______________________________________________ Nagvis-checkins mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nagvis-checkins
