Advertisement:

Author Topic: OsClass cookie secure flag  (Read 148 times)

SmaRTeY

  • Osclass Hero
  • Hero Member
  • *
  • Posts: 2520
OsClass cookie secure flag
« on: August 28, 2019, 03:35:31 pm »
Hi all,

just had a security check done on my website/server and there was a cookie issue. After some analysis I found that most cookies including the OsClass cookie do not use the Security Flag when a new session starts. For some reason it is better to set it to true if you use https so what you can do for a fix is this:

Find file "oc-includes/osclass/core/Session.php" and go to function "function session_start()"
Inside the function add the following code:

Code: [Select]
$currentCookieParams["secure"] = ( isset($_SERVER['HTTPS']) );
and put it below the follwoing code:

Code: [Select]
            if ( defined('COOKIE_DOMAIN') ) {
                $currentCookieParams["domain"] = COOKIE_DOMAIN;
            }

To test you can use developer tools in your browser and check the cookies and their security status before and after this code change. NB. don't forget to clear your cache/cookies when testing the scenario's

P.s. make sure ALL cookies in use by your website have the flag set to true (ie. plugins/themes)


Regards,
Eric

dev101

  • Osclass Hero
  • Hero Member
  • *
  • Posts: 2182
  • osclass.work
Re: OsClass cookie secure flag
« Reply #1 on: September 02, 2019, 06:51:05 pm »
Thanks Eric,
I have made a PR to NT's dev branch, but the code is a bit different to follow previous line style in that file.

Regards

marius-ciclistu

  • issues
  • Hero Member
  • *
  • Posts: 1700
  • "BE GRATEFUL TO THOSE THAT SUPPORTED YOU"
Re: OsClass cookie secure flag
« Reply #2 on: September 02, 2019, 08:37:05 pm »
Thank you.

Dimal

  • Full Member
  • ***
  • Posts: 120
Re: OsClass cookie secure flag
« Reply #3 on: September 02, 2019, 08:44:34 pm »
Thanks !!!

But as to make that for all plugins and themes ... We are doomed i think.