Mailing List Archive: Interchange: users

Make MV_PASSWORD secure if set on secure page

Index | Next | Previous | View Threaded

josh at perusion

Jul 12, 2012, 11:35 AM

Post #1 of 3 (153 views)
Permalink

Make MV_PASSWORD secure if set on secure page

https://github.com/jlavin/interchange/commit/0b840ab8913af5aa57ced27ab963a557ddb2f7d6

--- a/lib/Vend/UserDB.pm
+++ b/lib/Vend/UserDB.pm
@@ -1572,7 +1572,7 @@ sub login {
);
}

- username_cookies($self->{PASSED_USERNAME} ||
$self->{USERNAME}, $pw)
+ username_cookies($self->{PASSED_USERNAME} ||
$self->{USERNAME}, $pw, $self->{OPTIONS}{secure_cookies})
if $Vend::Cfg->{CookieLogin};

if ($self->{LOCATION}{LAST} ne 'none') {
@@ -1998,7 +1998,7 @@ sub new_account {
else {
$self->set_values() unless
$self->{OPTIONS}{no_set};
$self->{USERNAME} = $foreign if $foreign;
- username_cookies($self->{USERNAME}, $pw)
+ username_cookies($self->{USERNAME}, $pw,
$self->{OPTIONS}{secure_cookies})
if $Vend::Cfg->{CookieLogin};

$self->log('new account') if $options{'log'};
@@ -2026,7 +2026,7 @@ sub new_account {
}

sub username_cookies {
- my ($user, $pw) = @_;
+ my ($user, $pw, $secure) = @_;
return unless
$CGI::values{mv_cookie_password}
or
$CGI::values{mv_cookie_username}
or
@@ -2034,13 +2034,14 @@ sub username_cookies {
Vend::Util::read_cookie('MV_USERNAME');
$::Instance->{Cookies} = [] unless defined
$::Instance->{Cookies};
my $exp = time() + $Vend::Cfg->{SaveExpire};
+ $secure ||= $CGI::secure;
push @{$::Instance->{Cookies}},
['MV_USERNAME', $user, $exp];
return unless
$CGI::values{mv_cookie_password}
or
Vend::Util::read_cookie('MV_PASSWORD');
push @{$::Instance->{Cookies}},
- ['MV_PASSWORD', $pw, $exp];
+ ['MV_PASSWORD', $pw, $exp, undef, undef,
$secure];
return;
}

--
Josh Lavin
Perusion -- Expert Interchange Consulting http://www.perusion.com/

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

jon at endpoint

Jul 12, 2012, 1:03 PM

Post #2 of 3 (138 views)
Permalink

Re: Make MV_PASSWORD secure if set on secure page [In reply to]

Josh,

Unless I'm missing something, we need some documentation for this. You
seem to be introducing a new UserDB option "secure_cookies" but there's no
instruction on how to use it, or that it even exists.

Additions to the xmldocs repo, the catalog.cfg examples, and explanation
in the commit message would all help.

Thanks,
Jon

On Thu, 12 Jul 2012, Josh Lavin wrote:

> https://github.com/jlavin/interchange/commit/0b840ab8913af5aa57ced27ab963a557ddb2f7d6
>
> --- a/lib/Vend/UserDB.pm
> +++ b/lib/Vend/UserDB.pm
> @@ -1572,7 +1572,7 @@ sub login {
> );
> }
>
> - username_cookies($self->{PASSED_USERNAME} ||
> $self->{USERNAME}, $pw)
> + username_cookies($self->{PASSED_USERNAME} ||
> $self->{USERNAME}, $pw, $self->{OPTIONS}{secure_cookies})
> if $Vend::Cfg->{CookieLogin};
>
> if ($self->{LOCATION}{LAST} ne 'none') {
> @@ -1998,7 +1998,7 @@ sub new_account {
> else {
> $self->set_values() unless
> $self->{OPTIONS}{no_set};
> $self->{USERNAME} = $foreign if $foreign;
> - username_cookies($self->{USERNAME}, $pw)
> + username_cookies($self->{USERNAME}, $pw,
> $self->{OPTIONS}{secure_cookies})
> if $Vend::Cfg->{CookieLogin};
>
> $self->log('new account') if $options{'log'};
> @@ -2026,7 +2026,7 @@ sub new_account {
> }
>
> sub username_cookies {
> - my ($user, $pw) = @_;
> + my ($user, $pw, $secure) = @_;
> return unless
> $CGI::values{mv_cookie_password}
> or
> $CGI::values{mv_cookie_username}
> or
> @@ -2034,13 +2034,14 @@ sub username_cookies {
> Vend::Util::read_cookie('MV_USERNAME');
> $::Instance->{Cookies} = [] unless defined
> $::Instance->{Cookies};
> my $exp = time() + $Vend::Cfg->{SaveExpire};
> + $secure ||= $CGI::secure;
> push @{$::Instance->{Cookies}},
> ['MV_USERNAME', $user, $exp];
> return unless
> $CGI::values{mv_cookie_password}
> or
> Vend::Util::read_cookie('MV_PASSWORD');
> push @{$::Instance->{Cookies}},
> - ['MV_PASSWORD', $pw, $exp];
> + ['MV_PASSWORD', $pw, $exp, undef, undef,
> $secure];
> return;
> }

--
Jon Jensen
End Point Corporation
http://www.endpoint.com/
+1 507-399-0057

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

josh at perusion

Jul 13, 2012, 9:57 AM

Post #3 of 3 (136 views)
Permalink

Re: Make MV_PASSWORD secure if set on secure page [In reply to]

Quoting Jon Jensen (jon [at] endpoint):
> Josh,
>
> Unless I'm missing something, we need some documentation for this.
> You seem to be introducing a new UserDB option "secure_cookies" but
> there's no instruction on how to use it, or that it even exists.
>
> Additions to the xmldocs repo, the catalog.cfg examples, and
> explanation in the commit message would all help.

Here's a patch for xmldocs:
https://github.com/jlavin/xmldocs/commit/bb5b2952a69627746e0acfb6a93b47f51f617a06

> On Thu, 12 Jul 2012, Josh Lavin wrote:
>
> >https://github.com/jlavin/interchange/commit/0b840ab8913af5aa57ced27ab963a557ddb2f7d6
> >
> >--- a/lib/Vend/UserDB.pm
> >+++ b/lib/Vend/UserDB.pm
> >@@ -1572,7 +1572,7 @@ sub login {
> > );
> > }
> >
> >- username_cookies($self->{PASSED_USERNAME} ||
> > $self->{USERNAME}, $pw)
> >+ username_cookies($self->{PASSED_USERNAME} ||
> >$self->{USERNAME}, $pw, $self->{OPTIONS}{secure_cookies})
> > if $Vend::Cfg->{CookieLogin};
> >
> > if ($self->{LOCATION}{LAST} ne 'none') {
> >@@ -1998,7 +1998,7 @@ sub new_account {
> > else {
> > $self->set_values() unless
> >$self->{OPTIONS}{no_set};
> > $self->{USERNAME} = $foreign if $foreign;
> >- username_cookies($self->{USERNAME}, $pw)
> >+ username_cookies($self->{USERNAME}, $pw,
> >$self->{OPTIONS}{secure_cookies})
> > if $Vend::Cfg->{CookieLogin};
> >
> > $self->log('new account') if $options{'log'};
> >@@ -2026,7 +2026,7 @@ sub new_account {
> >}
> >
> >sub username_cookies {
> >- my ($user, $pw) = @_;
> >+ my ($user, $pw, $secure) = @_;
> > return unless
> > $CGI::values{mv_cookie_password}
> >or
> > $CGI::values{mv_cookie_username}
> >or
> >@@ -2034,13 +2034,14 @@ sub username_cookies {
> > Vend::Util::read_cookie('MV_USERNAME');
> > $::Instance->{Cookies} = [] unless defined
> >$::Instance->{Cookies};
> > my $exp = time() + $Vend::Cfg->{SaveExpire};
> >+ $secure ||= $CGI::secure;
> > push @{$::Instance->{Cookies}},
> > ['MV_USERNAME', $user, $exp];
> > return unless
> > $CGI::values{mv_cookie_password}
> >or
> > Vend::Util::read_cookie('MV_PASSWORD');
> > push @{$::Instance->{Cookies}},
> >- ['MV_PASSWORD', $pw, $exp];
> >+ ['MV_PASSWORD', $pw, $exp, undef, undef,
> >$secure];
> > return;
> >}
>

_______________________________________________
interchange-users mailing list
interchange-users [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-users

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads