Fix typo getting password cookie. Security-harden cookie usage.

Author: dhague

pkg/api/keystone/keystone.go

@@ -67,7 +67,7 @@ func getNewToken(c *middleware.Context) (string, error) {
 	var keystonePasswordObj interface{}
 	if setting.KeystoneCookieCredentials {
 		if setting.KeystoneCredentialAesKey != "" {
-			c.GetCookie(middleware.SESS_KEY_PASSWORD)
+			keystonePasswordObj = c.GetCookie(middleware.SESS_KEY_PASSWORD)
 		} else {
 			keystonePasswordObj = c.GetCookie(middleware.SESS_KEY_PASSWORD)
 		}

pkg/api/login.go

@@ -13,6 +13,7 @@ import (
 	m "github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
+	"gopkg.in/macaron.v1"
 )
 
 const (
@@ -117,7 +118,14 @@ func LoginPost(c *middleware.Context, cmd dtos.LoginCommand) Response {
 			cmd.Password = keystone.EncryptPassword(cmd.Password)
 		}
 		if setting.KeystoneCookieCredentials {
-			c.SetCookie(middleware.SESS_KEY_PASSWORD, cmd.Password)
+			log.Debug("c.Req.Header.Get(\"X-Forwarded-Proto\"): %s", c.Req.Header.Get("X-Forwarded-Proto"))
+			var days interface{}
+			if setting.LogInRememberDays == 0 {
+				days = nil
+			} else {
+				days = 86400 * setting.LogInRememberDays
+			}
+			c.SetCookie(middleware.SESS_KEY_PASSWORD, cmd.Password, days, setting.AppSubUrl+"/", nil, isSecure(&c.Req), true)
 		} else {
 			c.Session.Set(middleware.SESS_KEY_PASSWORD, cmd.Password)
 		}
@@ -144,17 +152,22 @@ func loginUserWithUser(user *m.User, c *middleware.Context) {
 
 	days := 86400 * setting.LogInRememberDays
 	if days > 0 {
-		c.SetCookie(setting.CookieUserName, user.Login, days, setting.AppSubUrl+"/")
-		c.SetSuperSecureCookie(util.EncodeMd5(user.Rands+user.Password), setting.CookieRememberName, user.Login, days, setting.AppSubUrl+"/")
+		c.SetCookie(setting.CookieUserName, user.Login, days, setting.AppSubUrl+"/", nil, isSecure(&c.Req), true)
+		c.SetSuperSecureCookie(util.EncodeMd5(user.Rands+user.Password),
+			setting.CookieRememberName, user.Login, days, setting.AppSubUrl+"/", nil, isSecure(&c.Req), true)
 	}
 
 	c.Session.Set(middleware.SESS_KEY_USERID, user.Id)
 }
 
 func Logout(c *middleware.Context) {
-	c.SetCookie(setting.CookieUserName, "", -1, setting.AppSubUrl+"/")
-	c.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubUrl+"/")
-	c.SetCookie(middleware.SESS_KEY_PASSWORD, "", -1, setting.AppSubUrl+"/")
+	c.SetCookie(setting.CookieUserName, "", -1, setting.AppSubUrl+"/", nil, isSecure(&c.Req), true)
+	c.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubUrl+"/", nil, isSecure(&c.Req), true)
+	c.SetCookie(middleware.SESS_KEY_PASSWORD, "", -1, setting.AppSubUrl+"/", nil, isSecure(&c.Req), true)
 	c.Session.Destory(c)
 	c.Redirect(setting.AppSubUrl + "/login")
 }
+
+func isSecure(r *macaron.Request) bool {
+	return (r.TLS != nil) || (r.Header.Get("X-Forwarded-Proto") == "https")
+}

pkg/middleware/session.go

@@ -14,7 +14,7 @@ import (
 const (
 	SESS_KEY_USERID      = "uid"
 	SESS_KEY_OAUTH_STATE = "state"
-	SESS_KEY_PASSWORD    = "password"
+	SESS_KEY_PASSWORD    = "grafana_password"
 )
 
 var sessionManager *session.Manager