Fix cookie security settings

WIP
artefactual · Jul 24, 2023 · 5d30fb7 · 5d30fb7
1 parent d996e1c
commit 5d30fb7
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/apps/qubit/config/qubitConfiguration.class.php b/apps/qubit/config/qubitConfiguration.class.php
@@ -24,7 +24,7 @@ class qubitConfiguration extends sfApplicationConfiguration
 
     public function listenToChangeCultureEvent(sfEvent $event)
     {
-        setcookie('atom_culture', $event['culture'], ['path' => '/']);
+        setcookie('atom_culture', $event['culture'], ['path' => '/', 'secure' => true, 'httponly' => true, 'samesite' => 'strict']);
     }
 
     /**

diff --git a/apps/qubit/modules/user/actions/loginAction.class.php b/apps/qubit/modules/user/actions/loginAction.class.php
@@ -69,7 +69,7 @@ public function execute($request)
                     }
 
                     // Can be read by reverse proxies to allow users to bypass caching
-                    setcookie('atom_authenticated', '1', ['path' => '/']);
+                    setcookie('atom_authenticated', '1', ['path' => '/', 'secure' => true, 'samesite' => 'strict']);
 
                     if (null !== $next = $this->form->getValue('next')) {
                         $this->redirect($next);

diff --git a/lib/myUser.class.php b/lib/myUser.class.php
@@ -75,7 +75,7 @@ public function initialize(sfEventDispatcher $dispatcher, sfStorage $storage, $o
         // Allow reverse proxies to know, via the "atom_authenticated" cookie, if a user
         // is authenticated and should be able to bypass the cache
         if (!isset($_COOKIE['atom_authenticated']) || $_COOKIE['atom_authenticated'] != $isAuthenticated) {
-            setcookie('atom_authenticated', $isAuthenticated, ['path' => '/']);
+            setcookie('atom_authenticated', $isAuthenticated, ['path' => '/', 'secure' => true, 'samesite' => 'strict']);
         }
 
         // Allow reverse proxies to pass a header to change culture