1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-22 21:40:55 +01:00

Fix login issue with stale HTTP vs HTTPS cookies

Summary:
In D758, I tightened the scope for which we issue cookies. Instead of setting
them on the whole domain we set them only on the subdomain, and we set them as
HTTPS only if the install is HTTPS.

However, this can leave the user with a stale HTTP cookie which the browser
sends and which never gets cleared. Handle this situation by:

  - Clear all four <domain, https> pairs when clearing cookies ("nuke it from
orbit").
  - Clear 'phsid' cookies when they're invalid.

Test Plan: Applied a hackier version of this patch to secure.phabricator.com and
was able to login with a stale HTTP cookie.

Reviewers: jungejason, tuomaspelkonen, aran

Reviewed By: jungejason

CC: aran, jungejason

Differential Revision: 838
This commit is contained in:
epriestley 2011-08-19 11:43:18 -07:00
parent 51bd08da27
commit ed33e59c5a
2 changed files with 26 additions and 18 deletions

View file

@ -204,26 +204,31 @@ class AphrontRequest {
if ($value == '') {
// NOTE: If we're clearing the cookie, also clear it on the entire
// domain. This allows us to clear older cookies which we didn't scope
// as tightly.
setcookie(
$name,
$value,
$expire,
$path = '/',
$domain = '',
$secure = ($base_protocol == 'https'),
$http_only = true);
// domain and both HTTP/HTTPS versions. This allows us to clear older
// cookies which we didn't scope as tightly. Eventually we could remove
// this, although it doesn't really hurt us. Basically, we're just making
// really sure that cookies get cleared when we try to clear them.
$secure_options = array(true, false);
$domain_options = array('', $base_domain);
} else {
// Otherwise, when setting cookies, set only one tightly-scoped cookie.
$is_secure = ($base_protocol == 'https');
$secure_options = array($is_secure);
$domain_options = array($base_domain);
}
setcookie(
$name,
$value,
$expire,
$path = '/',
$base_domain,
$secure = ($base_protocol == 'https'),
$http_only = true);
foreach ($secure_options as $cookie_secure) {
foreach ($domain_options as $cookie_domain) {
setcookie(
$name,
$value,
$expire,
$path = '/',
$cookie_domain,
$cookie_secure,
$http_only = true);
}
}
}
final public function setUser($user) {

View file

@ -50,6 +50,9 @@ abstract class PhabricatorController extends AphrontController {
$phsid);
if ($info) {
$user->loadFromArray($info);
} else {
// The session cookie is invalid, so clear it.
$request->clearCookie('phsid');
}
}