From f4a35174ff8e27863c91006fc26426bcf22ed02a Mon Sep 17 00:00:00 2001
From: Anthony U Fojas <anthony.fojas@vibes.com>
Date: Thu, 4 Feb 2016 13:32:06 -0600
Subject: [PATCH 1/2] Make the generated cookies httponly

The tgt cookie should be httponly to mitigate some common XSS attacks.
https://www.owasp.org/index.php/HttpOnly#Mitigating_the_Most_Common_XSS_attack_using_HttpOnly
---
 app/helpers/casino/sessions_helper.rb        | 2 +-
 spec/controllers/sessions_controller_spec.rb | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/app/helpers/casino/sessions_helper.rb b/app/helpers/casino/sessions_helper.rb
index 13d27d74..a0492c93 100644
--- a/app/helpers/casino/sessions_helper.rb
+++ b/app/helpers/casino/sessions_helper.rb
@@ -39,7 +39,7 @@ def sign_in(authentication_result, options = {})
   end
 
   def set_tgt_cookie(tgt)
-    cookies[:tgt] = { value: tgt.ticket }.tap do |cookie|
+    cookies[:tgt] = { value: tgt.ticket, httponly: true}.tap do |cookie|
       if tgt.long_term?
         cookie[:expires] = CASino.config.ticket_granting_ticket[:lifetime_long_term].seconds.from_now
       end
diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb
index 79ecb3f8..79353488 100644
--- a/spec/controllers/sessions_controller_spec.rb
+++ b/spec/controllers/sessions_controller_spec.rb
@@ -399,6 +399,12 @@
             ticket_granting_ticket.reload.should_not be_awaiting_two_factor_authentication
           end
 
+          it 'creates an httponly cookie' do
+            controller.stub(:cookies).and_return(HashWithIndifferentAccess.new)
+            post :validate_otp, params
+            controller.cookies['tgt']['httponly'].should be(true)
+          end
+
           context 'with a long-term ticket-granting ticket' do
             let(:cookie_jar) { HashWithIndifferentAccess.new }
 

From 44833d70a02ffa704c3845fb1b84c23d6807eda2 Mon Sep 17 00:00:00 2001
From: Matt Campbell <matt@soupmatt.com>
Date: Mon, 19 Sep 2016 17:51:51 -0500
Subject: [PATCH 2/2] Make the httponly-ness of the cookies configurable

default the configuration to false so that the default behavior matches
the previous behavior.
---
 app/helpers/casino/sessions_helper.rb        |  2 +-
 lib/casino.rb                                |  1 +
 spec/controllers/sessions_controller_spec.rb | 24 +++++++++++++++-----
 3 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/app/helpers/casino/sessions_helper.rb b/app/helpers/casino/sessions_helper.rb
index a0492c93..904d7fd8 100644
--- a/app/helpers/casino/sessions_helper.rb
+++ b/app/helpers/casino/sessions_helper.rb
@@ -39,7 +39,7 @@ def sign_in(authentication_result, options = {})
   end
 
   def set_tgt_cookie(tgt)
-    cookies[:tgt] = { value: tgt.ticket, httponly: true}.tap do |cookie|
+    cookies[:tgt] = { value: tgt.ticket, httponly: !!CASino.config.httponly_tgt_cookies }.tap do |cookie|
       if tgt.long_term?
         cookie[:expires] = CASino.config.ticket_granting_ticket[:lifetime_long_term].seconds.from_now
       end
diff --git a/lib/casino.rb b/lib/casino.rb
index e15bac79..5a033bcc 100644
--- a/lib/casino.rb
+++ b/lib/casino.rb
@@ -7,6 +7,7 @@ module CASino
   defaults = {
     authenticators: HashWithIndifferentAccess.new,
     require_service_rules: false,
+    httponly_tgt_cookies: false,
     logger: Rails.logger,
     frontend: HashWithIndifferentAccess.new(
       sso_name: 'CASino',
diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb
index 79353488..efa9d9b6 100644
--- a/spec/controllers/sessions_controller_spec.rb
+++ b/spec/controllers/sessions_controller_spec.rb
@@ -258,6 +258,24 @@
             tgt = CASino::TicketGrantingTicket.last
             tgt.long_term.should == true
           end
+
+          it 'creates a cookie that is not httponly by default' do
+            post :create, params
+            controller.cookies['tgt']['httponly'].should be(false)
+          end
+
+          context 'when we are configured for http_only_tgt_cookies' do
+            before do
+              CASino.config.httponly_tgt_cookies = true
+            end
+            after do
+              CASino.config.httponly_tgt_cookies = false
+            end
+            it 'creates an httponly cookie' do
+              post :create, params
+              controller.cookies['tgt']['httponly'].should be(true)
+            end
+          end
         end
 
         context 'with two-factor authentication enabled' do
@@ -399,12 +417,6 @@
             ticket_granting_ticket.reload.should_not be_awaiting_two_factor_authentication
           end
 
-          it 'creates an httponly cookie' do
-            controller.stub(:cookies).and_return(HashWithIndifferentAccess.new)
-            post :validate_otp, params
-            controller.cookies['tgt']['httponly'].should be(true)
-          end
-
           context 'with a long-term ticket-granting ticket' do
             let(:cookie_jar) { HashWithIndifferentAccess.new }