Updated Cookies Attributes

* Set explicitly Cookie SameSite * Updated security policies for cookies Change-Id: I3a42d1787a225b62ba9c88eac0789e30edf1791f
2020-02-14 23:19:05 -03:00
parent 69d363ef92
commit 87a701c098
3 changed files with 58 additions and 7 deletions
--- a/app/Services/OAuth2/PrincipalService.php
+++ b/app/Services/OAuth2/PrincipalService.php
@@ -42,7 +42,17 @@ final class PrincipalService implements IPrincipalService
        Log::debug(sprintf("PrincipalService::get - user_id %s auth_time %s op_browser_state %s", $user_id, $auth_time, $op_browser_state));
        if(!Cookie::has(IPrincipalService::OP_BROWSER_STATE_COOKIE_NAME)){
            Log::debug("PrincipalService::get cookie op_bs is missing trying to set it again ...");
-            Cookie::queue(IPrincipalService::OP_BROWSER_STATE_COOKIE_NAME, $op_browser_state, Config::get("session.lifetime", 120), $path = '/', $domain = null, $secure = false, $httpOnly = false);
+            Cookie::queue
+            (
+                IPrincipalService::OP_BROWSER_STATE_COOKIE_NAME,
+                $op_browser_state,
+                Config::get("session.lifetime", 120),
+                $path = Config::get("session.path"),
+                $domain = Config::get("session.domain"),
+                $secure = true,
+                $httpOnly = false,
+                $sameSite = 'None'
+            );
        }
        $principal->setState
        (
@@ -91,7 +101,17 @@ final class PrincipalService implements IPrincipalService
        // Maintain a `op_browser_state` cookie along with the `sessionid` cookie that
        // represents the End-User's login state at the OP. If the user is not logged
        $op_browser_state  = $this->calculateBrowserState();
-        Cookie::queue(IPrincipalService::OP_BROWSER_STATE_COOKIE_NAME, $op_browser_state, Config::get("session.lifetime", 120), $path = '/', $domain = null, $secure = false, $httpOnly = false);
+        Cookie::queue
+        (
+            IPrincipalService::OP_BROWSER_STATE_COOKIE_NAME,
+            $op_browser_state,
+            Config::get("session.lifetime", 120),
+            $path = Config::get("session.path"),
+            $domain = Config::get("session.domain"),
+            $secure = true,
+            $httpOnly = false,
+            $sameSite = 'None'
+        );
        Log::debug(sprintf("PrincipalService::register op_browser_state %s", $op_browser_state));
        Session::put(self::OPBrowserState, $op_browser_state);
        Session::save();
@@ -107,7 +127,17 @@ final class PrincipalService implements IPrincipalService
        Session::remove(self::AuthTimeParam);
        Session::remove(self::OPBrowserState);
        Session::save();
-        Cookie::queue(IPrincipalService::OP_BROWSER_STATE_COOKIE_NAME, null, $minutes = -2628000, $path = '/', $domain = null, $secure = false, $httpOnly = false);
+        Cookie::queue
+        (
+            IPrincipalService::OP_BROWSER_STATE_COOKIE_NAME,
+            null,
+            $minutes = -2628000,
+            $path = Config::get("session.path"),
+            $domain = Config::get("session.domain"),
+            $secure = true,
+            $httpOnly = false,
+            $sameSite = 'None'
+        );
    }

 }
--- a/app/libs/Auth/AuthService.php
+++ b/app/libs/Auth/AuthService.php
@@ -120,7 +120,18 @@ final class AuthService implements IAuthService
        $this->invalidateSession();
        Auth::logout();
        $this->principal_service->clear();
-        Cookie::queue(IAuthService::LOGGED_RELAYING_PARTIES_COOKIE_NAME, null, $minutes = -2628000, $path = '/', $domain = null, $secure = false, $httpOnly = false);
+        // put in past
+        Cookie::queue
+        (
+            IAuthService::LOGGED_RELAYING_PARTIES_COOKIE_NAME,
+            null,
+            $minutes = -2628000,
+            $path = Config::get("session.path"),
+            $domain = Config::get("session.domain"),
+            $secure = true,
+            $httpOnly = true,
+            $sameSite = 'None'
+        );
    }

    /**
@@ -292,7 +303,17 @@ final class AuthService implements IAuthService
            $rps = "";
        }

-        Cookie::queue(IAuthService::LOGGED_RELAYING_PARTIES_COOKIE_NAME, $rps, Config::get("session.lifetime", 120) , $path = '/', $domain = null, $secure = false, $httpOnly = false);
+        Cookie::queue
+        (
+            IAuthService::LOGGED_RELAYING_PARTIES_COOKIE_NAME,
+            $rps,
+            Config::get("session.lifetime", 120),
+            $path = Config::get("session.path"),
+            $domain = Config::get("session.domain"),
+            $secure = true,
+            $httpOnly = true,
+            $sameSite = 'None'
+        );
    }

    /**
--- a/config/logging.php
+++ b/config/logging.php
@@ -40,13 +40,13 @@ return [

        'single' => [
            'driver' => 'single',
-            'path' => storage_path('/logs/laravel-'.get_current_user().'.log'),
+            'path' => storage_path('/logs/laravel.log'),
            'level' => env('LOG_LEVEL', 'error'),
        ],

        'daily' => [
            'driver' => 'daily',
-            'path' => storage_path('/logs/laravel-'.get_current_user().'.log'),
+            'path' => storage_path('/logs/laravel.log'),
            'level' => env('LOG_LEVEL', 'error'),
            'days' => 7,
        ],