fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-08 19:21:40 +09:00
Code Issues Projects Releases Packages Wiki Activity
17111 commits 3 branches 212 tags 117 MiB
Commit graph

55 commits

Author SHA1 Message Date
Kijin Sung
3ca551e5f2 Fix multidomain not working when domain is IDN 2020-03-26 22:12:33 +09:00
Kijin Sung
a49f2f5f06 Change Context::isAlwaysSSL() to config('session.use_ssl_cookies') 
- Main session cookie is httpOnly if use_ssl is true
- SSO cookie is always httpOnly
 2018-08-06 01:23:22 +09:00
Min-Soo Kim
d090f402cc Set session cookie as a httpOnly cookie. 
PHP Session cookie 를 자바스크립트에서 직접 다루는 것은 코어에서 일어나지 않는 일이기도 하고, 바람직한 작업은 아닌 것 같아서 패치합니다.
 2018-07-29 18:40:21 +09:00
Min-Soo Kim
30fd0c428c Improve cookie security; Secure flag 
SSL 항상 사용 옵션인 경우 쿠키도 이에 맞추어 SSL 인 경우에만 사용되도록 secure flag 를 추가합니다.
선택적 SSL 인 경우 SSL 이 적용되지 않은 구간에서도 쿠키를 읽을 수 있어야 하므로, 적용하지 않습니다.

이 PR 로 변경되는 내용

- Context 클래스에 checkSslEnforce 메소드 추가
- SSL 항상 사용 옵션일 경우, 가능한 secure 플래그를 달아서 쿠기 굽기
- SSO 쿠키의 경우 javascript 접근이 필요 없을 것으로 예상 ( https://github.com/rhymix/rhymix/pull/1034 ) 되어서 `httpOnly` 플래그도 추가.

안드로이드 웹뷰의 경우 StackOverFlow 의 Reading secure cookies in android WebView 라는 글을 참고하면, 읽어오는 것이 가능하다고 합니다. 주소에 프로토콜을 적지 않을 경우 secure flag 가 달린 쿠키는 정상적으로 읽어오지 않는 듯 하니 안드로이드 웹뷰를 사용하시는 분들은 대응이 필요할 것으로 보입니다.

https: //github.com/rhymix/rhymix/pull/1034 를 실수로 merge 하여서 다시 올립니다.
Co-Authored-By: Kijin Sung <kijin@kijinsung.com>
 2018-07-29 12:15:24 +09:00
Min-Soo Kim
b62a1322c9 Revert "Merge branch 'develop' into develop" 
This reverts commit ec54bbd415, reversing
changes made to 9b12e0a71c.
 2018-07-29 11:54:14 +09:00
Min-Soo Kim
f8edfacde2 Refine secure cookie flag 
_use_ssl 대신 site_module_info 를 직접 참조하도록 수정.
함수 이름을 조금 더 자연스럽게 수정.
 2018-04-28 11:25:15 +09:00
Min-Soo Kim
c1c9a94623 Improve cookie security; Secure flag 
SSL 항상 사용 옵션인 경우 쿠키도 이에 맞추어 SSL 인 경우에만 사용되도록 `secure` flag 를 추가합니다.
선택적 SSL 인 경우 SSL 이 적용되지 않은 구간에서도 쿠키를 읽을 수 있어야 하므로, 적용하지 않습니다.
 2018-04-24 19:30:38 +09:00
Kijin Sung
591e9cb270 Revert "Improve cookie secure setting values" 
This reverts commit 73da2af393.
 2018-04-23 00:43:24 +09:00
Kijin Sung
cfca05c897 Revert "Fix httpOnly flag by mistake.... (#1032)" 
This reverts commit 0347bb7053.
 2018-04-23 00:42:12 +09:00
Min-Soo Kim
0347bb7053
Fix httpOnly flag by mistake.... (#1032) 
73da2af393 fix.
 2018-04-23 00:17:26 +09:00
Min-Soo Kim
73da2af393 Improve cookie secure setting values 
HTTPS 를 사용하는 상황에 대한 판단을 할 수 있는 상황에서 쿠키의 secure flag 를 달아준다.
 2018-04-22 23:58:13 +09:00
Kijin Sung
e3a2c1a6aa Guard more count() calls in common framework classes 2017-12-09 02:49:01 +09:00
Kijin Sung
a3ef122b57 Merge branch 'develop' into pr/csrf-token 2017-03-13 16:35:24 +09:00
Kijin Sung
beee2165fb Update session class to use getDefaultDomainInfo() for SSO 2017-03-13 11:35:37 +09:00
Kijin Sung
a0f2388842 Add Session::getGenericToken() for general-purpose token handling 2017-03-06 11:24:09 +09:00
Kijin Sung
5bd5044126 Improve referer checks in Session::checkSSO() 2017-03-04 22:15:46 +09:00
Kijin Sung
8cf3d7b520 Update SSO mechanism to use new domain system 2017-03-04 22:05:16 +09:00
Kijin Sung
cf01038ce6 Refresh member info when setSessionInfo() is called 2017-03-03 01:05:13 +09:00
Kijin Sung
fbe47e0610 Remove temporary list of override domains in Session class 2017-02-18 22:57:39 +09:00
Kijin Sung
5c8a41a655 Fix PHP warning 2017-02-17 21:38:03 +09:00
Kijin Sung
2582ef2100 More thoroughly delete conflicting cookies 2017-02-17 21:09:57 +09:00
Kijin Sung
64f0d5cb45 Remove Android Chrome from buggy user-agent list 2017-02-17 20:24:13 +09:00
Kijin Sung
51acad706e Remove unnecessary regex replacement 2017-02-17 20:15:56 +09:00
Kijin Sung
50410ec482 Delete conflicting wildcard cookies from subdomain 2017-02-17 19:44:01 +09:00
Kijin Sung
780034d4ee Do not explicitly set the domain for session cookies 2017-02-17 19:33:05 +09:00
Kijin Sung
cbae2c374e Use meta refresh instead of 302 redirect on new session 
Attempting to fix missing session cookie in some versions of Android webview and Chrome.
This may or may not be of any use, but why not try?

See https://bugs.chromium.org/p/chromium/issues/detail?id=150066
 2017-02-16 11:53:27 +09:00
Kijin Sung
b43c653186 Add options to control session keys and SSL-only attribute 2017-02-14 13:37:30 +09:00
Kijin Sung
dea757cfb7 Do not refresh session keys over POST 2017-02-13 17:49:27 +09:00
Kijin Sung
a6fee16b68 Extend detection of buggy user agents that cannot handle session keys 2017-02-13 17:28:04 +09:00
Kijin Sung
9c96dc04bc Remove debugging code 2017-02-13 16:54:25 +09:00
Kijin Sung
aeb42891b0 Do not check security keys if session was started on Android webview 2017-02-13 16:53:30 +09:00
Kijin Sung
ba925150a3 Quash www subdomain to prevent duplicate sessions 2017-02-13 13:55:47 +09:00
Kijin Sung
4a4612938a Show warning when a session is discarded due to invalid keys 2017-02-12 23:12:53 +09:00
Kijin Sung
1a0e49dcfb Change method for storing and caching session validity information 2017-02-12 23:00:53 +09:00
Kijin Sung
9884bbb3b8 Fix inconsistent whitespace 2017-02-11 21:55:01 +09:00
Kijin Sung
31623842ba Fix logout bug in admin module 2017-02-11 21:41:21 +09:00
Kijin Sung
1e532c51a4 Restore member_srl if it was changed by a third-party program 2017-02-11 21:13:18 +09:00
Kijin Sung
b32ae03396 Fix session variables being reset to an empty string 2017-02-11 14:15:38 +09:00
Kijin Sung
dfdbc1db85 Add session helper class and move remainder of session validation logic to Session class 2017-02-10 20:50:38 +09:00
Kijin Sung
4b26db9932 Fix unit tests, and add tests for Session::isValid() 2017-02-09 00:42:34 +09:00
Kijin Sung
3be0e79abb Improve session invalidation routines 2017-02-09 00:34:01 +09:00
Kijin Sung
c7d8d84500 Add option to invalidate other sessions on password change 
Feature request in https://www.xetown.com/lakepark/345786
 2017-02-09 00:06:32 +09:00
Kijin Sung
bdb10d57c5 Miscellaneous fixes to session handling 2017-02-08 21:35:00 +09:00
Kijin Sung
59c3fa1381 Fix unexpected cast to int 2017-02-08 18:06:26 +09:00
Kijin Sung
2af90c8e1d Implement autologin in the Session class 2017-02-08 17:08:31 +09:00
Kijin Sung
af41f36bf7 Move checkSSO() from Context class to Session class 2017-02-07 23:26:43 +09:00
Kijin Sung
c1b932d360 Add unit tests for Session::checkStart() 2016-10-05 20:26:56 +09:00
Kijin Sung
7d85a8dd14 Use common variable to refer to session name 2016-10-05 17:40:09 +09:00
Kijin Sung
b7c558a96f Move session delay feature into Session class 2016-10-05 17:26:05 +09:00
Kijin Sung
ab3d1b5fd6 Fix miscellaneous bugs and improve security of Session class 2016-08-19 23:07:11 +09:00