From 7ed78aa4ffb1770d22c84a9e2ce9f5ec2df0fa91 Mon Sep 17 00:00:00 2001
From: vincent-peugnet <vincent-peugnet@riseup.net>
Date: Sun, 24 Dec 2023 18:17:11 +0100
Subject: [PATCH] refactor remember me cookie close #260

upgrade security
rename it from authtoken to rememberme
---
 app/class/Controller.php     |  2 +-
 app/class/Controllerhome.php |  2 +-
 app/class/Modelconnect.php   | 18 +++++++++++++-----
 3 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/app/class/Controller.php b/app/class/Controller.php
index f7797b16..b5c5d8d8 100644
--- a/app/class/Controller.php
+++ b/app/class/Controller.php
@@ -59,7 +59,7 @@ protected function setuser()
                 Logger::warning("Deleted session using non existing user : '$sessionuser'");
                 $this->servicesession->empty(); // empty the session as a non existing user was set
             }
-        } elseif (!empty($_COOKIE['authtoken'])) {
+        } elseif (!empty($_COOKIE['rememberme'])) {
             try {
                 $modelconnect = new Modelconnect();
                 $datas = $modelconnect->checkcookie();
diff --git a/app/class/Controllerhome.php b/app/class/Controllerhome.php
index 8de71f09..1a67af19 100644
--- a/app/class/Controllerhome.php
+++ b/app/class/Controllerhome.php
@@ -176,7 +176,7 @@ protected function deepsearch(): array
     protected function listquery(): void
     {
         if (isset($_POST['listquery']) && $this->user->iseditor()) {
-            $datas = array_merge($_POST, $_SESSION['opt']);
+            $datas = array_merge($_POST, $this->servicesession->getopt());
             $this->optlist = new Optlist($datas);
             if (!empty($this->optlist->bookmark())) {
                 $this->optlist->resetall();
diff --git a/app/class/Modelconnect.php b/app/class/Modelconnect.php
index 641a05b3..3494d1ba 100644
--- a/app/class/Modelconnect.php
+++ b/app/class/Modelconnect.php
@@ -24,9 +24,17 @@ public function createauthcookie(string $userid, string $wsession, int $conserva
             throw new RuntimeException("Secret Key not set");
         }
         $jwt = JWT::encode($datas, Config::secretkey());
-        $cookie = setcookie('authtoken', $jwt, time() + $conservation * 24 * 3600, '/' . Config::basepath(), "", false, true);
+        $options = [
+            'expires' => time() + $conservation * 24 * 3600,
+            'path' => '/' . Config::basepath(),
+            'domain' => '',
+            'secure' => Config::issecure(),
+            'httponly' => true,
+            'samesite' => 'Strict'
+        ];
+        $cookie = setcookie('rememberme', $jwt, $options);
         if (!$cookie) {
-            throw new RuntimeException("Cant be send");
+            throw new RuntimeException("Remember me cookie cannot be created");
         }
     }
 
@@ -37,8 +45,8 @@ public function createauthcookie(string $userid, string $wsession, int $conserva
      */
     public function checkcookie(): array
     {
-        if (!empty($_COOKIE['authtoken'])) {
-            $datas = JWT::decode($_COOKIE['authtoken'], Config::secretkey(), ['HS256']);
+        if (!empty($_COOKIE['rememberme'])) {
+            $datas = JWT::decode($_COOKIE['rememberme'], Config::secretkey(), ['HS256']);
             return get_object_vars($datas);
         } else {
             throw new RuntimeException('Auth cookie is unset');
@@ -50,6 +58,6 @@ public function checkcookie(): array
      */
     public function deleteauthcookie(): void
     {
-        $_COOKIE['authtoken'] = [];
+        $_COOKIE['rememberme'] = [];
     }
 }