Branch: Tag:

2018-01-03

2018-01-03 10:38:21 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Wizards: Set the secure flag on RoxenWizardId cookie if https.

Fixes [WS-135].

917:       string wizard_id = id->cookies["RoxenWizardId"];    if (!sizeof(wizard_id || "")) { +  // Create a new cookie.    wizard_id = (string)random(0x7fffffff); -  id->add_response_header("Set-Cookie", -  sprintf("RoxenWizardId=%s; path=/", wizard_id)); +  // Set the secure flag on the cookie if accessed over https [WS-135]. +  // NB: The cookie is used from Javascript, so it can't have +  // httponly set. +  Roxen.set_cookie(id, "RoxenWizardId", wizard_id, 0, 0, "/", +  id->client_prot && id->client_prot() == "https", 0);    id->cookies["RoxenWizardId"] = wizard_id;    DEBUGMSG(sprintf("Wizard: Generated new wizard_id: %s\n", wizard_id));    }