HttpOnly flag for session cookie to prevent possible XSS - thx @melbinkm!

This commit is contained in:
azett 2022-10-01 14:07:54 +02:00
parent 9df201725f
commit 34fb2f3e6b
5 changed files with 28 additions and 25 deletions

View File

@ -121,6 +121,7 @@ if (isset($_SERVER ['HTTPS'])) {
$serverport = "false"; $serverport = "false";
// Unterstützung für Apache und IIS // Unterstützung für Apache und IIS
ini_set('session.cookie_secure', 1); ini_set('session.cookie_secure', 1);
ini_set('session.cookie_httponly', 1);
if (isset($_SERVER ['HTTPS']) && ($_SERVER ['HTTPS'] == '1' || strtolower($_SERVER ['HTTPS']) == 'on')) { if (isset($_SERVER ['HTTPS']) && ($_SERVER ['HTTPS'] == '1' || strtolower($_SERVER ['HTTPS']) == 'on')) {
$serverport = "https://"; $serverport = "https://";
} else { } else {

View File

@ -23,6 +23,8 @@ function cookie_setup() {
define('COOKIE_DOMAIN', false); define('COOKIE_DOMAIN', false);
if (!defined('COOKIE_SECURE')) if (!defined('COOKIE_SECURE'))
define('COOKIE_SECURE', true); define('COOKIE_SECURE', true);
if (!defined('COOKIE_HTTPONLY'))
define('COOKIE_HTTPONLY', true);
} }
if (!function_exists('wp_get_cookie_login')) : if (!function_exists('wp_get_cookie_login')) :
@ -62,20 +64,20 @@ function cookie_set($username, $password, $already_md5 = false, $home = '', $sit
else else
$expire = 0; $expire = 0;
setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE); setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE); setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
if ($cookiepath != $sitecookiepath) { if ($cookiepath != $sitecookiepath) {
setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE); setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE); setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
} }
} }
function cookie_clear() { function cookie_clear() {
setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE); setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE); setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE); setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE); setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
} }
if (!function_exists('wp_login')) : if (!function_exists('wp_login')) :

View File

@ -5,7 +5,7 @@ function sess_setup() {
session_save_path(SESSION_PATH); session_save_path(SESSION_PATH);
session_name(SESS_COOKIE); session_name(SESS_COOKIE);
setcookie(SESS_COOKIE, '', 0, '', COOKIE_DOMAIN, COOKIE_SECURE); setcookie(SESS_COOKIE, '', 0, '', COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
session_start(); session_start();
} }
@ -32,7 +32,7 @@ function sess_get($key) {
function sess_close() { function sess_close() {
unset($_SESSION); unset($_SESSION);
if (isset($_COOKIE [session_name()])) { if (isset($_COOKIE [session_name()])) {
setcookie(session_name(), '', time() - 42000, '/', COOKIE_SECURE); setcookie(session_name(), '', time() - 42000, '/', COOKIE_SECURE, COOKIE_HTTPONLY);
session_set_cookie_params(-42000); session_set_cookie_params(-42000);
} }
session_destroy(); session_destroy();

View File

@ -64,8 +64,8 @@ function user_login($userid, $pwd, $params = null) {
if ($loggedin) { if ($loggedin) {
// session_regenerate_id(); // session_regenerate_id();
$expire = time() + 31536000; $expire = time() + 31536000;
setcookie(USER_COOKIE, $userid, $expire, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE); setcookie(USER_COOKIE, $userid, $expire, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
setcookie(PASS_COOKIE, $user ['password'], $expire, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE); setcookie(PASS_COOKIE, $user ['password'], $expire, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
} }
return $loggedin; return $loggedin;
@ -76,8 +76,8 @@ function user_logout() {
if (user_loggedin()) { if (user_loggedin()) {
setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE); setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE); setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE, COOKIE_HTTPONLY);
} }
$loggedin = false; $loggedin = false;

View File

@ -6,7 +6,7 @@
*/ */
function _get_nextprev_link($nextprev) { function _get_nextprev_link($nextprev) {
global $fpdb; global $fpdb;
$q = & $fpdb->getQuery(); $q = &$fpdb->getQuery();
list ($caption, $id) = call_user_func(array( list ($caption, $id) = call_user_func(array(
&$q, &$q,
@ -42,7 +42,7 @@ if (!function_exists('get_nextpage_link')) :
function get_nextpage_link() { function get_nextpage_link() {
global $fpdb; global $fpdb;
$q = & $fpdb->getQuery(); $q = &$fpdb->getQuery();
$a = _get_nextprev_link('NextPage'); $a = _get_nextprev_link('NextPage');
@ -59,7 +59,7 @@ if (!function_exists('get_prevpage_link')) :
function get_prevpage_link() { function get_prevpage_link() {
global $fpdb; global $fpdb;
$q = & $fpdb->getQuery(); $q = &$fpdb->getQuery();
$a = _get_nextprev_link('PrevPage'); $a = _get_nextprev_link('PrevPage');
@ -292,12 +292,12 @@ if (!function_exists('wp_setcookie')) :
$cookiehash = md5($siteurl); $cookiehash = md5($siteurl);
} }
setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $cookiepath, COOKIE_SECURE); setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $cookiepath, COOKIE_SECURE, COOKIE_HTTPONLY);
setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $cookiepath, COOKIE_SECURE); setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $cookiepath, COOKIE_SECURE, COOKIE_HTTPONLY);
if ($cookiepath != $sitecookiepath) { if ($cookiepath != $sitecookiepath) {
setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $sitecookiepath, COOKIE_SECURE); setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $sitecookiepath, COOKIE_SECURE, COOKIE_HTTPONLY);
setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $sitecookiepath, COOKIE_SECURE); setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $sitecookiepath, COOKIE_SECURE, COOKIE_HTTPONLY);
} }
} }
endif; endif;
@ -305,10 +305,10 @@ endif;
if (!function_exists('wp_clearcookie')) : if (!function_exists('wp_clearcookie')) :
function wp_clearcookie() { function wp_clearcookie() {
setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH, COOKIE_SECURE); setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH, COOKIE_SECURE, COOKIE_HTTPONLY);
setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH, COOKIE_SECURE); setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH, COOKIE_SECURE, COOKIE_HTTPONLY);
setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_SECURE); setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_SECURE, COOKIE_HTTPONLY);
setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_SECURE); setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_SECURE, COOKIE_HTTPONLY);
} }
endif; endif;