projects / koha_fer / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge branch 'bug_9332' into 3.12-master
[koha_fer] / C4 / Auth.pm
diff --git a/C4/Auth.pm b/C4/Auth.pm
index b32136a..0c57a3f 100644 (file)
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -264,12 +264,13 @@ sub get_template_and_user {
                                                       $_->{'time'},
                             ) foreach @recentSearches;
 
-                                       # And then, delete the cookie's content
-                                       my $newsearchcookie = $in->{'query'}->cookie(
-                                                                                               -name => 'KohaOpacRecentSearches',
-                                                                                               -value => freeze([]),
-                                                                                               -expires => ''
-                                                                                        );
+                    # And then, delete the cookie's content
+                    my $newsearchcookie = $in->{'query'}->cookie(
+                                                -name => 'KohaOpacRecentSearches',
+                                                -value => freeze([]),
+                                                -HttpOnly => 1,
+                                                -expires => ''
+                                             );
                                        $cookie = [$cookie, $newsearchcookie];
                                }
                        }
@@ -300,6 +301,7 @@ sub get_template_and_user {
        }
 
     if(C4::Context->preference('dateformat')){
+        $template->param( dateformat => C4::Context->preference('dateformat') );
         if(C4::Context->preference('dateformat') eq "metric"){
             $template->param(dateformat_metric => 1);
         } elsif(C4::Context->preference('dateformat') eq "us"){
@@ -632,16 +634,18 @@ sub checkauth {
     # when using authentication against multiple CAS servers, as configured in Auth_cas_servers.yaml
     my $casparam = $query->param('cas');
 
-    if ( $userid = $ENV{'REMOTE_USER'} ) {
-        # Using Basic Authentication, no cookies required
+        if ( $userid = $ENV{'REMOTE_USER'} ) {
+            # Using Basic Authentication, no cookies required
         $cookie = $query->cookie(
-            -name    => 'CGISESSID',
-            -value   => '',
-            -expires => ''
+            -name     => 'CGISESSID',
+            -value    => '',
+            -expires  => '',
+            -HttpOnly => 1,
         );
         $loggedin = 1;
     }
-    elsif ( $sessionID = $query->cookie("CGISESSID")) {     # assignment, not comparison
+    elsif ( $sessionID = $query->cookie("CGISESSID") )
+    {    # assignment, not comparison
         my $session = get_session($sessionID);
         C4::Context->_new_userenv($sessionID);
         my ($ip, $lasttime, $sessiontype);
@@ -707,8 +711,12 @@ sub checkauth {
             $userid    = undef;
         }
         else {
-            $cookie = $query->cookie( CGISESSID => $session->id );
-            $session->param('lasttime',time());
+            $cookie = $query->cookie(
+                -name     => 'CGISESSID',
+                -value    => $session->id,
+                -HttpOnly => 1
+            );
+            $session->param( 'lasttime', time() );
             unless ( $sessiontype && $sessiontype eq 'anon' ) { #if this is an anonymous session, we want to update the session, but not behave as if they are logged in...
                 $flags = haspermission($userid, $flagsrequired);
                 if ($flags) {
@@ -724,8 +732,12 @@ sub checkauth {
         my $session = get_session("") or die "Auth ERROR: Cannot get_session()";
         my $sessionID = $session->id;
         C4::Context->_new_userenv($sessionID);
-        $cookie = $query->cookie( CGISESSID => $sessionID );
-        $userid = $query->param('userid');
+        $cookie = $query->cookie(
+            -name     => 'CGISESSID',
+            -value    => $session->id,
+            -HttpOnly => 1
+        );
+    $userid = $query->param('userid');
         if (   ( $cas && $query->param('ticket') )
             || $userid
             || ( my $pki_field = C4::Context->preference('AllowPKIAuth') ) ne
@@ -916,7 +928,11 @@ sub checkauth {
     {
         # successful login
         unless ($cookie) {
-            $cookie = $query->cookie( CGISESSID => '' );
+            $cookie = $query->cookie(
+                -name     => 'CGISESSID',
+                -value    => '',
+                -HttpOnly => 1
+            );
         }
         return ( $userid, $cookie, $sessionID, $flags );
     }
@@ -1121,7 +1137,11 @@ sub check_api_auth {
                 $sessionID = undef;
                 return ("expired", undef, undef);
             } else {
-                my $cookie = $query->cookie( CGISESSID => $session->id );
+                my $cookie = $query->cookie(
+                    -name  => 'CGISESSID',
+                    -value => $session->id,
+                    -HttpOnly => 1,
+                );
                 $session->param('lasttime',time());
                 my $flags = haspermission($userid, $flagsrequired);
                 if ($flags) {
@@ -1165,7 +1185,11 @@ sub check_api_auth {
 
             my $sessionID = $session->id;
             C4::Context->_new_userenv($sessionID);
-            my $cookie = $query->cookie(CGISESSID => $sessionID);
+            my $cookie = $query->cookie(
+                -name  => 'CGISESSID',
+                -value => $sessionID,
+                -HttpOnly => 1,
+            );
             if ( $return == 1 ) {
                 my (
                     $borrowernumber, $firstname,  $surname,
Unnamed repository; edit this file 'description' to name the repository.