Improve cookie security; Secure flag

SSL 항상 사용 옵션인 경우 쿠키도 이에 맞추어 SSL 인 경우에만 사용되도록 `secure` flag 를 추가합니다.
선택적 SSL 인 경우 SSL 이 적용되지 않은 구간에서도 쿠키를 읽을 수 있어야 하므로, 적용하지 않습니다.

classes/context/Context.class.php

@@ -300,7 +300,7 @@ class Context
 		{
 			if($_COOKIE['lang_type'] !== $lang_type)
 			{
-				setcookie('lang_type', $lang_type, $_SERVER['REQUEST_TIME'] + 3600 * 24 * 1000, '/');
+				setcookie('lang_type', $lang_type, time() + 86400 * 365, '/', null, self::checkSslEnforce());
 			}
 		}
 		elseif($_COOKIE['lang_type'])
@@ -316,7 +316,7 @@ class Context
 					if(!strncasecmp($lang_code, $_SERVER['HTTP_ACCEPT_LANGUAGE'], strlen($lang_code)))
 					{
 						$lang_type = $lang_code;
-						setcookie('lang_type', $lang_type, $_SERVER['REQUEST_TIME'] + 3600 * 24 * 1000, '/');
+						setcookie('lang_type', $lang_type, time() + 86400 * 365, '/', null, self::checkSslEnforce());
 					}
 				}
 			}
@@ -617,6 +617,22 @@ class Context
 		return self::get('_use_ssl');
 	}
 
+	
+	/**
+	 * Return ssl status
+	 *
+	 * @return boolean (true|false)
+	 */
+	public static function checkSslEnforce()
+	{
+		static $ssl_only = null;
+		if(is_null($ssl_only))
+		{
+			$ssl_only = (self::get('_use_ssl') === 'always' ? true : false)
+		}
+		return $ssl_only;
+	}
+
 	/**
 	 * Return default URL
 	 *
@@ -1769,7 +1785,7 @@ class Context
 			return;
 		}
 
-		if(self::get('_use_ssl') == 'always')
+		if(self::checkSslEnforce())
 		{
 			$ssl_mode = ENFORCE_SSL;
 		}

classes/mobile/Mobile.class.php

@@ -73,7 +73,7 @@ class Mobile
 		$uatype = $uahash . ':' . (self::$_ismobile ? '1' : '0');
 		if ($cookie !== $uatype)
 		{
-			setcookie('rx_uatype', $uatype, 0);
+			setcookie('rx_uatype', $uatype, 0, null, null, Context::checkSslEnforce());
 			$_COOKIE['rx_uatype'] = $uatype;
 		}
 		

common/framework/session.php

@@ -295,7 +295,7 @@ class Session
 		if(!$is_default_domain && !\Context::get('sso_response') && $_COOKIE['sso'] !== md5($current_domain))
 		{
 			// Set sso cookie to prevent multiple simultaneous SSO validation requests.
-			setcookie('sso', md5($current_domain), 0, '/');
+			setcookie('sso', md5($current_domain), 0, '/', null, Context::checkSslEnforce());
 			
 			// Redirect to the default site.
 			$sso_request = Security::encrypt($current_url);

common/js/common.js

@@ -1055,7 +1055,8 @@ function getOuterHTML(obj) {
 function setCookie(name, value, expire, path) {
 	var s_cookie = name + "=" + escape(value) +
 		((!expire) ? "" : ("; expires=" + expire.toGMTString())) +
-		"; path=" + ((!path) ? "/" : path);
+		"; path=" + ((!path) ? "/" : path) +
+		((enforce_ssl) ? ";secure" : "");
 
 	document.cookie = s_cookie;
 }

common/tpl/common_layout.html

@@ -55,7 +55,7 @@
 	var current_mid = {json_encode($mid ?: null)};
 	var http_port = {Context::get("_http_port") ?: 'null'};
 	var https_port = {Context::get("_https_port") ?: 'null'};
-	var enforce_ssl = {Context::get('_use_ssl') === 'always' ? 'true' : 'false'};
+	var enforce_ssl = {Context::checkSslEnforce() ? 'true' : 'false'};
 	var ssl_actions = {json_encode(array_keys(Context::getSSLActions()))};
 	var xeVid = null;
 </script>

modules/member/member.view.php

@@ -192,7 +192,7 @@ class memberView extends member
 	function dispMemberSignUpForm()
 	{
 		//setcookie for redirect url in case of going to member sign up
-		setcookie("XE_REDIRECT_URL", $_SERVER['HTTP_REFERER']);
+		setcookie("XE_REDIRECT_URL", $_SERVER['HTTP_REFERER'], 0, '/', null, Context::checkSslEnforce());
 
 		$member_config = $this->member_config;
 

widgets/login_info/skins/ncenter_login/js/ncenter.js

@@ -8,7 +8,7 @@
 				dt.setTime(dt.getTime() + (d * 24 * 60 * 60000));
 				e = "; expires=" + dt.toGMTString();
 			}
-			document.cookie = n + "=" + v + e + "; path=/";
+			document.cookie = n + "=" + v + e + "; path=/" + ((enforce_ssl) ? ";secure" : "");
 		}
 
 		var n = $('#nc_container');