From 93dae51cda127ca4aecf5e31d3d74ab04719d8e3 Mon Sep 17 00:00:00 2001 From: Stefan Date: Wed, 8 Jun 2016 20:08:50 +0200 Subject: [PATCH 1/5] Remove test cookie --- src/static/js/pad.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/static/js/pad.js b/src/static/js/pad.js index 25b1a24d..2009d124 100644 --- a/src/static/js/pad.js +++ b/src/static/js/pad.js @@ -502,8 +502,7 @@ var pad = { // To use etherpad you have to allow cookies. // This will check if the creation of a test-cookie has success. // Otherwise it shows up a message to the user. - createCookie("test", "test"); - if (!readCookie("test")) + if (!readCookie("prefs")) { $('#loading').hide(); $('#noCookie').show(); From 06ff0230474f9c3b5baa4e5827b897f42fe16213 Mon Sep 17 00:00:00 2001 From: Stefan Date: Wed, 8 Jun 2016 21:14:10 +0200 Subject: [PATCH 2/5] Add secure flag to cookies on client side if pad accessed through https --- src/static/js/pad_cookie.js | 7 ++++++- src/static/js/pad_utils.js | 7 +++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/src/static/js/pad_cookie.js b/src/static/js/pad_cookie.js index 9866dbfd..b563a7e6 100644 --- a/src/static/js/pad_cookie.js +++ b/src/static/js/pad_cookie.js @@ -43,7 +43,8 @@ var padcookie = (function() { var expiresDate = new Date(); expiresDate.setFullYear(3000); - document.cookie = ('prefs=' + safeText + ';expires=' + expiresDate.toGMTString()); + var secure = isHttpsScheme() ? ";secure" : ""; + document.cookie = ('prefs=' + safeText + ';expires=' + expiresDate.toGMTString() + secure); } function parseCookie(text) @@ -79,6 +80,10 @@ var padcookie = (function() alreadyWarnedAboutNoCookies = true; } } + + function isHttpsScheme() { + return window.location.protocol == "https:"; + } var wasNoCookie = true; var cookieData = {}; diff --git a/src/static/js/pad_utils.js b/src/static/js/pad_utils.js index 5a7700c9..eafa14bb 100644 --- a/src/static/js/pad_utils.js +++ b/src/static/js/pad_utils.js @@ -53,13 +53,16 @@ function createCookie(name, value, days, path){ /* Used by IE */ if(!path){ // IF the Path of the cookie isn't set then just create it on root path = "/"; } + + //Check if we accessed the pad over https + var secure = window.location.protocol == "https:" ? ";secure" : ""; //Check if the browser is IE and if so make sure the full path is set in the cookie if((navigator.appName == 'Microsoft Internet Explorer') || ((navigator.appName == 'Netscape') && (new RegExp("Trident/.*rv:([0-9]{1,}[\.0-9]{0,})").exec(navigator.userAgent) != null))){ - document.cookie = name + "=" + value + expires + "; path=/"; /* Note this bodge fix for IE is temporary until auth is rewritten */ + document.cookie = name + "=" + value + expires + "; path=/" + secure; /* Note this bodge fix for IE is temporary until auth is rewritten */ } else{ - document.cookie = name + "=" + value + expires + "; path=" + path; + document.cookie = name + "=" + value + expires + "; path=" + path + secure; } } From 4ea9c4f98ddabba231e59b9bd321ba1af0894552 Mon Sep 17 00:00:00 2001 From: Stefan Date: Wed, 8 Jun 2016 21:15:26 +0200 Subject: [PATCH 3/5] Add secure flag to express-session cookies --- src/node/hooks/express/webaccess.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/node/hooks/express/webaccess.js b/src/node/hooks/express/webaccess.js index 2cafd271..80c21837 100644 --- a/src/node/hooks/express/webaccess.js +++ b/src/node/hooks/express/webaccess.js @@ -120,7 +120,7 @@ exports.expressConfigure = function (hook_name, args, cb) { } args.app.sessionStore = exports.sessionStore; - args.app.use(sessionModule({secret: exports.secret, store: args.app.sessionStore, resave: true, saveUninitialized: true, name: 'express_sid' })); + args.app.use(sessionModule({secret: exports.secret, store: args.app.sessionStore, resave: true, saveUninitialized: true, name: 'express_sid', proxy: true, cookie: { secure: true }})); args.app.use(cookieParser(settings.sessionKey, {})); From 009b61b33843a5c03587b7e12e7d411dea0ca51e Mon Sep 17 00:00:00 2001 From: Stefan Date: Sun, 10 Jul 2016 12:44:45 +0200 Subject: [PATCH 4/5] Make express-session cookie scheme dependent --- src/node/hooks/express/webaccess.js | 2 +- src/static/js/pad.js | 39 +---------------------------- 2 files changed, 2 insertions(+), 39 deletions(-) diff --git a/src/node/hooks/express/webaccess.js b/src/node/hooks/express/webaccess.js index 80c21837..c53eb1d1 100644 --- a/src/node/hooks/express/webaccess.js +++ b/src/node/hooks/express/webaccess.js @@ -120,7 +120,7 @@ exports.expressConfigure = function (hook_name, args, cb) { } args.app.sessionStore = exports.sessionStore; - args.app.use(sessionModule({secret: exports.secret, store: args.app.sessionStore, resave: true, saveUninitialized: true, name: 'express_sid', proxy: true, cookie: { secure: true }})); + args.app.use(sessionModule({secret: exports.secret, store: args.app.sessionStore, resave: true, saveUninitialized: true, name: 'express_sid', proxy: true, cookie: { secure: !!settings.ssl }})); args.app.use(cookieParser(settings.sessionKey, {})); diff --git a/src/static/js/pad.js b/src/static/js/pad.js index 2009d124..597d084d 100644 --- a/src/static/js/pad.js +++ b/src/static/js/pad.js @@ -52,43 +52,6 @@ var hooks = require('./pluginfw/hooks'); var receivedClientVars = false; -function createCookie(name, value, days, path){ /* Warning Internet Explorer doesn't use this it uses the one from pad_utils.js */ - if (days) - { - var date = new Date(); - date.setTime(date.getTime() + (days * 24 * 60 * 60 * 1000)); - var expires = "; expires=" + date.toGMTString(); - } - else{ - var expires = ""; - } - - if(!path){ // If the path isn't set then just whack the cookie on the root path - path = "/"; - } - - //Check if the browser is IE and if so make sure the full path is set in the cookie - if((navigator.appName == 'Microsoft Internet Explorer') || ((navigator.appName == 'Netscape') && (new RegExp("Trident/.*rv:([0-9]{1,}[\.0-9]{0,})").exec(navigator.userAgent) != null))){ - document.cookie = name + "=" + value + expires + "; path="+document.location; - } - else{ - document.cookie = name + "=" + value + expires + "; path=" + path; - } -} - -function readCookie(name) -{ - var nameEQ = name + "="; - var ca = document.cookie.split(';'); - for (var i = 0; i < ca.length; i++) - { - var c = ca[i]; - while (c.charAt(0) == ' ') c = c.substring(1, c.length); - if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length); - } - return null; -} - function randomString() { var chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; @@ -500,7 +463,7 @@ var pad = { handshake(); // To use etherpad you have to allow cookies. - // This will check if the creation of a test-cookie has success. + // This will check if the prefs-cookie is set. // Otherwise it shows up a message to the user. if (!readCookie("prefs")) { From 8084400e13e561813aed3759fd16e4567d3bdb39 Mon Sep 17 00:00:00 2001 From: Stefan Date: Tue, 20 Dec 2016 21:57:01 +0100 Subject: [PATCH 5/5] Try to init cookies before testing if it exists --- src/static/js/pad.js | 1 + 1 file changed, 1 insertion(+) diff --git a/src/static/js/pad.js b/src/static/js/pad.js index f6642654..c967e461 100644 --- a/src/static/js/pad.js +++ b/src/static/js/pad.js @@ -452,6 +452,7 @@ var pad = { // To use etherpad you have to allow cookies. // This will check if the prefs-cookie is set. // Otherwise it shows up a message to the user. + padcookie.init(); if (!readCookie("prefs")) { $('#loading').hide();