refactor remember me cookie close #260

upgrade security rename it from authtoken to rememberme
vincent-peugnet · Dec 24, 2023 · 7ed78aa · 7ed78aa
1 parent 1664d3b
commit 7ed78aa
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 7 deletions.
diff --git a/app/class/Controller.php b/app/class/Controller.php
@@ -59,7 +59,7 @@ protected function setuser()
                 Logger::warning("Deleted session using non existing user : '$sessionuser'");
                 $this->servicesession->empty(); // empty the session as a non existing user was set
             }
-        } elseif (!empty($_COOKIE['authtoken'])) {
+        } elseif (!empty($_COOKIE['rememberme'])) {
             try {
                 $modelconnect = new Modelconnect();
                 $datas = $modelconnect->checkcookie();

diff --git a/app/class/Controllerhome.php b/app/class/Controllerhome.php
@@ -176,7 +176,7 @@ protected function deepsearch(): array
     protected function listquery(): void
     {
         if (isset($_POST['listquery']) && $this->user->iseditor()) {
-            $datas = array_merge($_POST, $_SESSION['opt']);
+            $datas = array_merge($_POST, $this->servicesession->getopt());
             $this->optlist = new Optlist($datas);
             if (!empty($this->optlist->bookmark())) {
                 $this->optlist->resetall();

diff --git a/app/class/Modelconnect.php b/app/class/Modelconnect.php
@@ -24,9 +24,17 @@ public function createauthcookie(string $userid, string $wsession, int $conserva
             throw new RuntimeException("Secret Key not set");
         }
         $jwt = JWT::encode($datas, Config::secretkey());
-        $cookie = setcookie('authtoken', $jwt, time() + $conservation * 24 * 3600, '/' . Config::basepath(), "", false, true);
+        $options = [
+            'expires' => time() + $conservation * 24 * 3600,
+            'path' => '/' . Config::basepath(),
+            'domain' => '',
+            'secure' => Config::issecure(),
+            'httponly' => true,
+            'samesite' => 'Strict'
+        ];
+        $cookie = setcookie('rememberme', $jwt, $options);
         if (!$cookie) {
-            throw new RuntimeException("Cant be send");
+            throw new RuntimeException("Remember me cookie cannot be created");
         }
     }
 
@@ -37,8 +45,8 @@ public function createauthcookie(string $userid, string $wsession, int $conserva
      */
     public function checkcookie(): array
     {
-        if (!empty($_COOKIE['authtoken'])) {
-            $datas = JWT::decode($_COOKIE['authtoken'], Config::secretkey(), ['HS256']);
+        if (!empty($_COOKIE['rememberme'])) {
+            $datas = JWT::decode($_COOKIE['rememberme'], Config::secretkey(), ['HS256']);
             return get_object_vars($datas);
         } else {
             throw new RuntimeException('Auth cookie is unset');
@@ -50,6 +58,6 @@ public function checkcookie(): array
      */
     public function deleteauthcookie(): void
     {
-        $_COOKIE['authtoken'] = [];
+        $_COOKIE['rememberme'] = [];
     }
 }