• last updated 6 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
- ad_set_cookie: add option "-samesite" and use it, when the server supports it (NaviServer 4.99.18)

- use "-samesite strict" per default on signed cookies

Background from NaviServer commit:

ns_setcookie: add flag "-samesite" with values "strict|lax|none"

When the flag is set it prevents the browser from

sending this cookie along with cross-site requests to mitigate cross site

scripting attacks. Permissible values are [term strict], [term lax],

or [term none] (default). While the value [term strict] prevents

sending the cookie to the target site in all cross-site browsing

context, the value of [term lax] allows sending the cookie when the

user clicks on regular links. For details, see

https://www.owasp.org/index.php/SameSite

This cookie flag is not yet part of an RFC, but most major browsers

support it. Browsers that do not support it, ignore the flag

silently (see https://caniuse.com/#search=samesite).

Although most cookies should probably use the flags, in order to

provide backward compatibility, the flag can't be activated by

default on all cookies.

  1. … 2 more files in changeset.
activate warnings in case the old IE bug is still around

ad_sign: generalize last ad_sign handling to

allow user and csrf binding

  1. … 4 more files in changeset.
ad_sign: new optional parameter "user_binding"

The parameter user_binding allows to bind a signature to a user.

When the value is "-1" only the user who created the signature can

obtain the value again. A value of 0 (default) means no user binding.

The permissible values might be extended in the future.

bump version number to 5.10.0d24

  1. … 2 more files in changeset.
improve comments, make function private to avoid confusions

switch from security::nonce_token to ::security::csp::nonce and update comments

replace broken redirect with standard redirect function (auth::require_login)

no need for eagerly releasing handles

add procdic for private function

Cookie security reform:

- fix handling of persistent logins while addressing problems of last commits

- increase usage of try/throw to be able to distinguish exceptions

- fix handling of LoginTimeout 0 in cryptographic expiration

- use [ad_conn behind_secure_proxy_p] on more occasions, where

security::secure_conn_p is used (maybe fold these together in the future)

- new private proc security::log to ease debugging of cookie management

- further improved documentation

- fix serveral documentation bugs (align decumentation with implementation)

- use "throw" as well for invalid cookies (in addition to non-existent cookies)

add session_id invalidation

treat behind_secure_proxy_p like security::secure_conn_p for useing secure cookies in general and for the secure login cookie

use secure token when running behind a secure proxy the same way as when running directly a secure session

Don't trust value of login_level just on basis of the session cookie

modernize exception handling: use proper try/throw instead of swallowing "catch"

call sec_login_handler instead of just sec_generate_session_id_cookie, since otherwise, cryptographically valid session cookie could be used without a ad_login_cookie

improve spelling

  1. … 15 more files in changeset.
make handling of session_ids more robust (necessary for user-switching feature)

fix typo

  1. … 1 more file in changeset.
factor out validation of provided host header.

report only onece, that host header is invalid

  1. … 2 more files in changeset.
Fix typo in proc doc

Fix typos in proc doc

improve comments

  1. … 10 more files in changeset.
fix for redirect-to-secure, when SuppressHttpPort is set

This changes as well:

- improve symmetry security::get_insecure_location and security::get_secure_location

- add regression test to cover basic cases

- bumb version number of acs-tcl to 5.10.0d19

  1. … 2 more files in changeset.
bug fix: Do not return a location with a port, when SuppressHttpPort is set

for details, see: https://openacs.org/forums/message-view?message_id=5399931

improve spelling

  1. … 2 more files in changeset.
Fix proc and contract doc elements, so they are properly parsed by apidoc::api_*_documentation.

- @parameter -> @param

- @params -> @param

- Add missing @param

- @cvs -> @cvs-id

- @version -> @cvs-id

  1. … 12 more files in changeset.
reduce verbosity

switch back to previous code based on sec_generate_session_id_cookie to fix persistent logins