Hi guys,
I read these slides on how to hack sites that don't set the 'secure'
flag on their cookies:
http://fscked.org/blog/fully-automated-active-https-cookie-hijacking
So as I'm working on a 'logged in user session' thing that outlives
witty sessions. I've added this patch to wt git master.
It just adds a bool 'secure' flag to the setCookie method in WApplication.
You can only use it when the user is logged in via SSL, and all it
does is tell the browser, only send this cookie when using an SSL
connection.
I haven't touched the code for witty's sessions cookies .. possibly
that'll need a bunch of config code and documentation too; but it
could be a base for possible future session code.
I haven't tested it out on browsers yet .. I'll update this list after
I've proved it working.
Kind Regards,
Matthew Sherborne
Patch:
diff --git a/src/Wt/WApplication b/src/Wt/WApplication
index faee3b6..84c1c8f 100644
--- a/src/Wt/WApplication
+++ b/src/Wt/WApplication
@@ -1366,6 +1366,11 @@ public:
* By default the cookie only applies to the current path on the
* current domain. To set a proper value for domain, see also RFC2109.
*
+ * If you know you're on a https connection and the cookie is to do with
+ * security, you should set 'secure' to true. When 'secure' is set, most
+ * browsers will only send the cookie when connected via https. This can
+ * help defend against certain hack attempts.
+ *
* \if cpp
* \note %Wt provides session tracking automatically, and may be configured
* to use a cookie for this. You only need to use cookies yourself
@@ -1376,7 +1381,8 @@ public:
*/
void setCookie(const std::string& name, const std::string& value,
int maxAge, const std::string& domain = "",
- const std::string& path = "");
+ const std::string& path = "",
+ bool secure=false);
/*! \brief Adds an HTML meta header.
*
diff --git a/src/Wt/WApplication.C b/src/Wt/WApplication.C
index 9e7e4a0..99375d8 100644
--- a/src/Wt/WApplication.C
+++ b/src/Wt/WApplication.C
@@ -888,9 +888,9 @@ void WApplication::setTwoPhaseRenderingThreshold(int bytes)
void WApplication::setCookie(const std::string& name, const std::string& value,
int maxAge, const std::string& domain,
- const std::string& path)
+ const std::string& path, bool secure)
{
- session_->renderer().setCookie(name, value, maxAge, domain, path);
+ session_->renderer().setCookie(name, value, maxAge, domain, path, secure);
}
void WApplication::addMetaHeader(const std::string& name,
diff --git a/src/web/WebRenderer.C b/src/web/WebRenderer.C
index 2442e7f..7d70d86 100644
--- a/src/web/WebRenderer.C
+++ b/src/web/WebRenderer.C
@@ -397,9 +397,10 @@ void WebRenderer::serveError(WebResponse&
response, const std::string& message)
void WebRenderer::setCookie(const std::string name, const std::string value,
int maxAge, const std::string domain,
- const std::string path)
+ const std::string path,
+ bool secure)
{
- cookiesToSet_.push_back(Cookie(name, value, path, domain, maxAge));
+ cookiesToSet_.push_back(Cookie(name, value, path, domain, maxAge, secure));
}
void WebRenderer::setCaching(WebResponse& response, bool allowCache)
@@ -428,6 +429,8 @@ void WebRenderer::setHeaders(WebResponse&
response, const std::string mimeType)
cookies += " Domain=" + cookiesToSet_[i].domain + ";";
if (!cookiesToSet_[i].path.empty())
cookies += " Path=" + cookiesToSet_[i].path + ";";
+ if (cookiesToSet_[i].secure)
+ cookies += " Secure;";
if (!cookies.empty())
response.addHeader("Set-Cookie", cookies);
diff --git a/src/web/WebRenderer.h b/src/web/WebRenderer.h
index 1f48335..c464199 100644
--- a/src/web/WebRenderer.h
+++ b/src/web/WebRenderer.h
@@ -66,7 +66,8 @@ public:
void setCookie(const std::string name, const std::string value,
int maxAge, const std::string domain,
- const std::string path);
+ const std::string path,
+ bool secure);
bool preLearning() const { return learning_; }
void learningIncomplete();
@@ -82,9 +83,10 @@ private:
std::string path;
std::string domain;
int maxAge;
+ bool secure;
- Cookie(std::string n, std::string v, std::string p, std::string d, int m)
- : name(n), value(v), path(p), domain(d), maxAge(m) { }
+ Cookie(std::string n, std::string v, std::string p, std::string
d, int m, bool s)
+ : name(n), value(v), path(p), domain(d), maxAge(m), secure(s) { }
};
WebSession& session_;
diff --git a/src/web/WebSession.C b/src/web/WebSession.C
index b2afd72..a6eac1e 100644
--- a/src/web/WebSession.C
+++ b/src/web/WebSession.C
@@ -2202,7 +2202,7 @@ void WebSession::generateNewSessionId()
if (controller_->configuration().sessionTracking()
== Configuration::CookiesURL) {
std::string cookieName = env_->deploymentPath();
- renderer().setCookie(cookieName, sessionId_, -1, "", "");
+ renderer().setCookie(cookieName, sessionId_, -1, "", "", false);
// TODO: pass true at end to use secure cookies
}
}
#endif // WT_TARGET_JAVA
------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Data protection magic?
Nope - It's vRanger. Get your free trial download today.
http://p.sf.net/sfu/quest-sfdev2dev
_______________________________________________
witty-interest mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/witty-interest
