Bug 9102 : Followup Set HttpOnly on the CGISESSID cookie

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>

diff --git a/C4/Auth.pm b/C4/Auth.pm
index 2eb63f5..ac3f3f8 100644 (file)
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -264,12 +264,13 @@ sub get_template_and_user {
                                                       $_->{'time'},
                             ) foreach @recentSearches;
 
-                                       # And then, delete the cookie's content
-                                       my $newsearchcookie = $in->{'query'}->cookie(
-                                                                                               -name => 'KohaOpacRecentSearches',
-                                                                                               -value => freeze([]),
-                                                                                               -expires => ''
-                                                                                        );
+                    # And then, delete the cookie's content
+                    my $newsearchcookie = $in->{'query'}->cookie(
+                                                -name => 'KohaOpacRecentSearches',
+                                                -value => freeze([]),
+                                                -HttpOnly => 1,
+                                                -expires => ''
+                                             );
                                        $cookie = [$cookie, $newsearchcookie];
                                }
                        }
@@ -632,8 +633,8 @@ sub checkauth {
     # when using authentication against multiple CAS servers, as configured in Auth_cas_servers.yaml
     my $casparam = $query->param('cas');
 
-    if ( $userid = $ENV{'REMOTE_USER'} ) {
-        # Using Basic Authentication, no cookies required
+        if ( $userid = $ENV{'REMOTE_USER'} ) {
+            # Using Basic Authentication, no cookies required
         $cookie = $query->cookie(
             -name     => 'CGISESSID',
             -value    => '',
@@ -1135,7 +1136,11 @@ sub check_api_auth {
                 $sessionID = undef;
                 return ("expired", undef, undef);
             } else {
-                my $cookie = $query->cookie( CGISESSID => $session->id );
+                my $cookie = $query->cookie(
+                    -name  => 'CGISESSID',
+                    -value => $session->id,
+                    -HttpOnly => 1,
+                );
                 $session->param('lasttime',time());
                 my $flags = haspermission($userid, $flagsrequired);
                 if ($flags) {
@@ -1179,7 +1184,11 @@ sub check_api_auth {
 
             my $sessionID = $session->id;
             C4::Context->_new_userenv($sessionID);
-            my $cookie = $query->cookie(CGISESSID => $sessionID);
+            my $cookie = $query->cookie(
+                -name  => 'CGISESSID',
+                -value => $sessionID,
+                -HttpOnly => 1,
+            );
             if ( $return == 1 ) {
                 my (
                     $borrowernumber, $firstname,  $surname,

diff --git a/C4/Templates.pm b/C4/Templates.pm
index 507e077..78dcddd 100644 (file)
--- a/C4/Templates.pm
+++ b/C4/Templates.pm
@@ -305,6 +305,7 @@ sub setlanguagecookie {
     my $cookie = $query->cookie(
         -name    => 'KohaOpacLanguage',
         -value   => $language,
+        -HttpOnly => 1,
         -expires => '+3y'
     );
     print $query->redirect(

diff --git a/cataloguing/additem.pl b/cataloguing/additem.pl
index c9875ca..1bd19a7 100755 (executable)
--- a/cataloguing/additem.pl
+++ b/cataloguing/additem.pl
@@ -418,6 +418,7 @@ if ($op eq "additem") {
                     -name => 'LastCreatedItem',
                     # We uri_escape the whole freezed structure so we're sure we won't have any encoding problems
                     -value   => uri_escape_utf8( freeze( $record ) ),
+                    -HttpOnly => 1,
                     -expires => ''
                 );
 

diff --git a/installer/InstallAuth.pm b/installer/InstallAuth.pm
index 5b99c1f..0015a14 100644 (file)
--- a/installer/InstallAuth.pm
+++ b/installer/InstallAuth.pm
@@ -262,7 +262,11 @@ sub checkauth {
                 $session->param('emailaddress'),
                 $session->param('branchprinter')
             );
-            $cookie   = $query->cookie( CGISESSID => $session->id );
+            $cookie = $query->cookie(
+                -name     => 'CGISESSID',
+                -value    => $session->id,
+                -HttpOnly => 1,
+            );
             $loggedin = 1;
             $userid   = $session->param('cardnumber');
         }
@@ -298,7 +302,11 @@ sub checkauth {
             # printf L "%20s from %16s logged in  at %30s.\n", $userid,
             #  $ENV{'REMOTE_ADDR'}, $time;
             # close L;
-            $cookie = $query->cookie( CGISESSID => $sessionID );
+            $cookie = $query->cookie(
+                -name     => 'CGISESSID',
+                -value    => $sessionID,
+                -HttpOnly => 1,
+            );
             if ( $return == 2 ) {
 
            #Only superlibrarian should have access to this page.
@@ -342,6 +350,7 @@ sub checkauth {
             $cookie = $query->cookie(
                 -name    => 'CGISESSID',
                 -value   => '',
+                -HttpOnly => 1,
                 -expires => ''
             );
         }
@@ -382,6 +391,7 @@ sub checkauth {
     $cookie = $query->cookie(
         -name    => 'CGISESSID',
         -value   => $sessionID,
+        -HttpOnly => 1,
         -expires => ''
     );
     print $query->header(