From da71e1a020d1218f748cb008572edbba965cf1cd Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 18 Apr 2016 18:38:18 +0200
Subject: [PATCH] (ui) set httponly cookie, closes
 https://github.com/opnsense/core/issues/897

---
 src/etc/inc/authgui.inc                      |  5 ++++-
 src/opnsense/mvc/app/config/services.php     | 10 ++++++++++
 src/opnsense/mvc/app/config/services_api.php | 10 ++++++++++
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc
index b621ed6da..7586af212 100644
--- a/src/etc/inc/authgui.inc
+++ b/src/etc/inc/authgui.inc
@@ -168,7 +168,10 @@ function session_auth(&$Login_Error)
     );
 
     if (session_status() == PHP_SESSION_NONE) {
-        session_start();
+        if (session_start()) {
+            $sess_name = session_name();
+            setcookie($sess_name, session_id(), null, '/', null, null, ($config['system']['webgui']['protocol'] == "https"));
+        }
     }
 
     // Detect protocol change
diff --git a/src/opnsense/mvc/app/config/services.php b/src/opnsense/mvc/app/config/services.php
index 559c9f87d..d496d3e52 100644
--- a/src/opnsense/mvc/app/config/services.php
+++ b/src/opnsense/mvc/app/config/services.php
@@ -7,6 +7,7 @@ use Phalcon\Db\Adapter\Pdo\Mysql as DbAdapter;
 use Phalcon\Mvc\View\Engine\Volt as VoltEngine;
 use Phalcon\Mvc\Model\Metadata\Memory as MetaDataAdapter;
 use Phalcon\Session\Adapter\Files as SessionAdapter;
+use OPNsense\Core\Config;
 
 /**
  * The FactoryDefault Dependency Injector automatically register the right services providing a full stack framework
@@ -75,6 +76,15 @@ $di->set('modelsMetadata', function () {
 $di->setShared('session', function () {
     $session = new SessionAdapter();
     $session->start();
+    // Set session response cookie, unfortunalty we need to read the config here to determine if secure option is
+    // a valid choice.
+    $cnf = Config::getInstance();
+    if ((string)$cnf->object()->system->webgui->protocol == 'https') {
+        $secure = true;
+    } else {
+        $secure = false;
+    }
+    setcookie(session_name(), session_id(), null, '/', null, $secure, true);
 
     return $session;
 });
diff --git a/src/opnsense/mvc/app/config/services_api.php b/src/opnsense/mvc/app/config/services_api.php
index f082dd05c..7137a99cf 100644
--- a/src/opnsense/mvc/app/config/services_api.php
+++ b/src/opnsense/mvc/app/config/services_api.php
@@ -34,6 +34,7 @@ use Phalcon\Mvc\Url as UrlResolver;
 use Phalcon\Mvc\View;
 use Phalcon\Mvc\Model\Metadata\Memory as MetaDataAdapter;
 use Phalcon\Session\Adapter\Files as SessionAdapter;
+use OPNsense\Core\Config;
 
 /**
  * The FactoryDefault Dependency Injector automatically register the right services providing a full stack framework
@@ -62,6 +63,15 @@ $di->set('url', function () use ($config) {
 $di->setShared('session', function () {
     $session = new SessionAdapter();
     $session->start();
+    // Set session response cookie, unfortunalty we need to read the config here to determine if secure option is
+    // a valid choice.
+    $cnf = Config::getInstance();
+    if ((string)$cnf->object()->system->webgui->protocol == 'https') {
+        $secure = true;
+    } else {
+        $secure = false;
+    }
+    setcookie(session_name(), session_id(), null, '/', null, $secure, true);
 
     return $session;
 });