From 2ad5cb136d8fc469aedbc2adea249d18f5584779 Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Wed, 27 Aug 2008 06:10:33 +0000
Subject: [PATCH] =?utf8?q?Bug=20449984:=20Login=20cookies=20should=20be=20?=
 =?utf8?q?created=20as=20SSL-only=20on=20installations=20that=20require=20?=
 =?utf8?q?SSL=20-=20Patch=20by=20Fr=C3=83=C2=A9d=C3=83=C2=A9ric=20Buclin?=
 =?utf8?q?=20<LpSolit@gmail.com>=20r/a=3Dmkanat?=
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

---
 Bugzilla/Auth/Persist/Cookie.pm | 33 ++++++++++++++++++---------------
 1 file changed, 18 insertions(+), 15 deletions(-)

diff --git a/Bugzilla/Auth/Persist/Cookie.pm b/Bugzilla/Auth/Persist/Cookie.pm
index 4928068e51..9098f8989b 100644
--- a/Bugzilla/Auth/Persist/Cookie.pm
+++ b/Bugzilla/Auth/Persist/Cookie.pm
@@ -67,6 +67,9 @@ sub persist_login {
               VALUES (?, ?, ?, NOW())",
               undef, $login_cookie, $user->id, $ip_addr);
 
+    # Prevent JavaScript from accessing login cookies.
+    my %cookieargs = ('-httponly' => 1);
+
     # Remember cookie only if admin has told so
     # or admin didn't forbid it and user told to remember.
     if ( Bugzilla->params->{'rememberlogin'} eq 'on' ||
@@ -74,23 +77,23 @@ sub persist_login {
           $cgi->param('Bugzilla_remember') &&
           $cgi->param('Bugzilla_remember') eq 'on') ) 
     {
-        $cgi->send_cookie(-name => 'Bugzilla_login',
-                          -value => $user->id,
-                          -httponly => 1,
-                          -expires => 'Fri, 01-Jan-2038 00:00:00 GMT');
-        $cgi->send_cookie(-name => 'Bugzilla_logincookie',
-                          -value => $login_cookie,
-                          -httponly => 1,
-                          -expires => 'Fri, 01-Jan-2038 00:00:00 GMT');
+        # Not a session cookie, so set an infinite expiry
+        $cookieargs{'-expires'} = 'Fri, 01-Jan-2038 00:00:00 GMT';
     }
-    else {
-        $cgi->send_cookie(-name => 'Bugzilla_login',
-                          -value => $user->id,
-                          -httponly => 1);
-        $cgi->send_cookie(-name => 'Bugzilla_logincookie',
-                          -value => $login_cookie,
-                          -httponly => 1);
+    if (Bugzilla->params->{'ssl'} ne 'never'
+        && Bugzilla->params->{'sslbase'} ne '')
+    {
+        # Bugzilla->login will automatically redirect to https://,
+        # so it's safe to turn on the 'secure' bit.
+        $cookieargs{'-secure'} = 1;
     }
+
+    $cgi->send_cookie(-name => 'Bugzilla_login',
+                      -value => $user->id,
+                      %cookieargs);
+    $cgi->send_cookie(-name => 'Bugzilla_logincookie',
+                      -value => $login_cookie,
+                      %cookieargs);
 }
 
 sub logout {
-- 
2.47.2