fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

PM-2039 "Las cookies de sesion no se ha definido con el flag..." SOLVED

Browse Source 
Issue:
    Las cookies de sesion no se ha definido con el flag HttpOnly esta debe definirse para mitigar ataques de tipo
    cross-site scripting.
Cause:
    No se a definido el parametro "httponly" al momento de usar la funcion "setcookie"
Solution:
    Se define el parametro "httponly" al momento de usar la funcion "setcookie"
This commit is contained in:
Victor Saisa Lopez
2015-04-20 17:01:38 -04:00
parent bd51761043
commit e1875b1ede
2 changed files with 13 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
workflow/engine/xmlform/login/sysLoginNoWSpm3.xml
View File

@@ -24,12 +24,12 @@ SELECT LANG_ID, LANG_NAME FROM langOptions
</BSUBMIT>
<JS type="javascript"><![CDATA[
window.onload= function(){
window.onload= function(){
document.getElementById('form[USR_USERNAME]').placeholder = _('ID_USER');
document.getElementById('form[USR_PASSWORD_MASK]').placeholder = _('ID_PASSWORD');
document.getElementById('form[USER_ENV]').placeholder = _('ID_WORKSPACE');
document.getElementById('form[BSUBMIT]').classList.remove('module_app_button___gray');
document.getElementById('form[BSUBMIT]').classList.add('button-login-success');
document.getElementById('form[BSUBMIT]').classList.add('button-login-success');
};
setFocus (getField ('USR_USERNAME'));
@@ -49,8 +49,7 @@ leimnud.event.add(document.getElementById('form[USR_PASSWORD_MASK]'), 'keypress'
});
leimnud.event.add(document.getElementById('form[BSUBMIT]'), 'click', function() {
ws = getField('USER_ENV').value;
createCookie('pmos_generik2', '{"ws":"'+ws+'"}', 365);
createCookie("pm_sys_sys", "{\"sys_sys\": \"" + getField("USER_ENV").value + "\"}", 365);
var client = getBrowserClient();
if (client.browser == "msie" || client.browser == "safari"){
@@ -63,12 +62,14 @@ leimnud.event.add(document.getElementById('form[BSUBMIT]'), 'click', function()
}.extend(document.getElementById('form[BSUBMIT]')));
try{
c = new String(readCookie('pmos_generik2'));
o = eval("("+c+")");
if( o != null){
getField('USER_ENV').value = o.ws;
var s = new String(readCookie("pm_sys_sys"));
var obj = eval("(" + s + ")");
if (obj != null) {
getField("USER_ENV").value = obj.sys_sys;
}
} catch(e){}
]]></JS>
</dynaForm>

7
workflow/public_html/app.php
View File

@@ -10,12 +10,12 @@ register_shutdown_function(
)
);
/*
* ProcessMaker Web Application Bootstrap
*/
ini_set("session.cookie_httponly", 1);
if (isset($_SERVER['UNENCODED_URL'])) {
$_SERVER['REQUEST_URI'] = $_SERVER['UNENCODED_URL'];
}
try {
$rootDir = realpath(__DIR__ . "/../../") . DIRECTORY_SEPARATOR;
@@ -90,3 +90,4 @@ try {
$response = new Maveriks\Http\Response($view->getOutput(), 503);
$response->send();
}