Adds secureCookie configurable option

mberkowski · mberkowski · commit a7c25f9fff8a · 2016-10-11T18:10:12.000-05:00
diff --git a/libs/config.sample.php b/libs/config.sample.php
@@ -19,6 +19,7 @@
 	"jsPath" => "../js/csrfprotector.js",
 	"jsUrl" => "",
 	"tokenLength" => 10,
+	"secureCookie" => false,
 	"disabledJavascriptMessage" => "This site attempts to protect users against <a href=\"https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29\">
 	Cross-Site Request Forgeries </a> attacks. In order to do so, you must have JavaScript enabled in your web browser otherwise this site will fail to work correctly for you.
 	 See details of your web browser for how to enable JavaScript.",
diff --git a/libs/csrf/csrfprotector.php b/libs/csrf/csrfprotector.php
@@ -325,7 +325,10 @@ public static function refreshToken()
 			//set token to cookie for client side processing
 			setcookie(self::$config['CSRFP_TOKEN'], 
 				$token, 
-				time() + self::$cookieExpiryTime);
+				time() + self::$cookieExpiryTime,
+				'',
+				'',
+				(array_key_exists('secureCookie', self::$config) ? (bool)self::$config['secureCookie'] : false));
 		}
 
 		/*
diff --git a/test/csrfprotector_test.php b/test/csrfprotector_test.php
@@ -24,6 +24,19 @@ public static function checkHeader($needle)
         }
         return false;
     }
+
+    public static function getHeaderValue($needle)
+    {
+        $haystack = xdebug_get_headers();
+        foreach ($haystack as $key => $value) {
+            if (strpos($value, $needle) === 0) {
+                // Deliberately overwrite to accept the last rather than first match
+                // as xdebug_get_headers() will accumulate all set headers
+                list(,$hvalue) = explode(':', $value, 2);
+            }
+        }
+        return $hvalue;
+    }
 }
 
 
@@ -44,6 +57,7 @@ public function setUp()
     {
         csrfprotector::$config['jsPath'] = '../js/csrfprotector.js';
         csrfprotector::$config['CSRFP_TOKEN'] = 'csrfp_token';
+        csrfprotector::$config['secureCookie'] = false;
 
 
 
@@ -54,6 +68,7 @@ public function setUp()
         $_POST[csrfprotector::$config['CSRFP_TOKEN']] = $_GET[csrfprotector::$config['CSRFP_TOKEN']] = '123';
         $_SESSION[csrfprotector::$config['CSRFP_TOKEN']] = array('abc'); //token mismatch - leading to failed validation
         $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.1';
+        $_SERVER['HTTPS'] = null;
 
         $this->config = include(__DIR__ .'/../libs/config.sample.php');
         
@@ -90,6 +105,15 @@ public function testRefreshToken()
         $this->assertTrue(csrfp_wrapper::checkHeader($_SESSION[csrfprotector::$config['CSRFP_TOKEN']][1]));
     }
 
+    public function testSecureCookie()
+    {
+        $_SERVER['REQUEST_METHOD'] = 'POST';
+        $_SESSION[csrfprotector::$config['CSRFP_TOKEN']] = array('123abcd');
+
+        csrfprotector::$config['secureCookie'] = true;
+        csrfprotector::refreshToken(); //will create new session and cookies
+        $this->assertRegExp('/; secure/', csrfp_wrapper::getHeaderValue('Set-Cookie'));
+    }
 
     /**
      * test authorise post -> log directory exception
