PM-2039 "Las cookies de sesion no se ha definido con el flag..." SOLVED

Issue: Las cookies de sesion no se ha definido con el flag HttpOnly esta debe definirse para mitigar ataques de tipo cross-site scripting. Cause: No se a definido el parametro "httponly" al momento de usar la funcion "setcookie" Solution: Se define el parametro "httponly" al momento de usar la funcion "setcookie"
2015-04-20 17:01:38 -04:00
parent bd51761043
commit e1875b1ede
2 changed files with 13 additions and 11 deletions
--- a/workflow/engine/xmlform/login/sysLoginNoWSpm3.xml
+++ b/workflow/engine/xmlform/login/sysLoginNoWSpm3.xml
@@ -24,12 +24,12 @@ SELECT LANG_ID, LANG_NAME FROM langOptions
  </BSUBMIT>
  <JS type="javascript"><![CDATA[
-window.onload= function(){  
+window.onload= function(){
  document.getElementById('form[USR_USERNAME]').placeholder = _('ID_USER');
  document.getElementById('form[USR_PASSWORD_MASK]').placeholder = _('ID_PASSWORD');
  document.getElementById('form[USER_ENV]').placeholder = _('ID_WORKSPACE');
  document.getElementById('form[BSUBMIT]').classList.remove('module_app_button___gray');
-  document.getElementById('form[BSUBMIT]').classList.add('button-login-success');  
+  document.getElementById('form[BSUBMIT]').classList.add('button-login-success');
 };
 setFocus (getField ('USR_USERNAME'));
@@ -49,8 +49,7 @@ leimnud.event.add(document.getElementById('form[USR_PASSWORD_MASK]'), 'keypress'
 });
 leimnud.event.add(document.getElementById('form[BSUBMIT]'), 'click', function() {
-    ws = getField('USER_ENV').value;
+    createCookie("pm_sys_sys", "{\"sys_sys\": \"" + getField("USER_ENV").value + "\"}", 365);
    createCookie('pmos_generik2', '{"ws":"'+ws+'"}', 365);
    var client = getBrowserClient();
    if (client.browser == "msie" || client.browser == "safari"){
@@ -63,12 +62,14 @@ leimnud.event.add(document.getElementById('form[BSUBMIT]'), 'click', function()
 }.extend(document.getElementById('form[BSUBMIT]')));
 try{
-    c = new String(readCookie('pmos_generik2'));
+    var s = new String(readCookie("pm_sys_sys"));
-    o = eval("("+c+")");
+    var obj = eval("(" + s + ")");
-    if( o != null){
+
-        getField('USER_ENV').value = o.ws;
+    if (obj != null) {
        getField("USER_ENV").value = obj.sys_sys;
    }
 } catch(e){}
 ]]></JS>
 </dynaForm>
--- a/workflow/public_html/app.php
+++ b/workflow/public_html/app.php
@@ -10,12 +10,12 @@ register_shutdown_function(
    )
 );
-/*
+ini_set("session.cookie_httponly", 1);
- * ProcessMaker Web Application Bootstrap
+
 */
 if (isset($_SERVER['UNENCODED_URL'])) {
    $_SERVER['REQUEST_URI'] = $_SERVER['UNENCODED_URL'];
 }
 try {
    $rootDir = realpath(__DIR__ . "/../../") . DIRECTORY_SEPARATOR;
@@ -90,3 +90,4 @@ try {
    $response = new Maveriks\Http\Response($view->getOutput(), 503);
    $response->send();
 }