From 626c490771399e5818a3c7d3d970c44402627330 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Mon, 11 Jul 2022 11:11:03 -0700 Subject: [PATCH] Switch browser cookie signature from SHA1 to SHA384. --- webrelayserver.js | 9 +++++++-- webserver.js | 13 +++++++++---- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/webrelayserver.js b/webrelayserver.js index ab20a118..153e77d9 100644 --- a/webrelayserver.js +++ b/webrelayserver.js @@ -61,11 +61,16 @@ module.exports.CreateWebRelayServer = function (parent, db, args, certificates, } } + // Setup a keygrip instance with higher default security, default hash is SHA1, we want to bump that up with SHA384 + // If multiple instances of this server are behind a load-balancer, this secret must be the same for all instances + // If args.sessionkey is a string, use it as a single key, but args.sessionkey can also be used as an array of keys. + const keygrip = require('keygrip')((typeof obj.args.sessionkey == 'string') ? [obj.args.sessionkey] : obj.args.sessionkey, 'sha384', 'base64'); + // Setup cookie session - var sessionOptions = { + const sessionOptions = { name: 'xid', // Recommended security practice to not use the default cookie name httpOnly: true, - keys: [args.sessionkey], // If multiple instances of this server are behind a load-balancer, this secret must be the same for all instances + keys: keygrip, secure: (args.tlsoffload == null), // Use this cookie only over TLS (Check this: https://expressjs.com/en/guide/behind-proxies.html) sameSite: (args.sessionsamesite ? args.sessionsamesite : 'lax') } diff --git a/webserver.js b/webserver.js index 0f5929fa..9806a325 100644 --- a/webserver.js +++ b/webserver.js @@ -5759,15 +5759,20 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF } } + // Setup a keygrip instance with higher default security, default hash is SHA1, we want to bump that up with SHA384 + // If multiple instances of this server are behind a load-balancer, this secret must be the same for all instances + // If args.sessionkey is a string, use it as a single key, but args.sessionkey can also be used as an array of keys. + const keygrip = require('keygrip')((typeof obj.args.sessionkey == 'string') ? [obj.args.sessionkey] : obj.args.sessionkey, 'sha384', 'base64'); + // Setup the cookie session - var sessionOptions = { + const sessionOptions = { name: 'xid', // Recommended security practice to not use the default cookie name httpOnly: true, - keys: [obj.args.sessionkey], // If multiple instances of this server are behind a load-balancer, this secret must be the same for all instances + keys: keygrip, secure: (obj.args.tlsoffload == null), // Use this cookie only over TLS (Check this: https://expressjs.com/en/guide/behind-proxies.html) sameSite: (obj.args.sessionsamesite ? obj.args.sessionsamesite : 'lax') } - if (obj.args.sessiontime != null) { sessionOptions.maxAge = (obj.args.sessiontime * 60 * 1000); } + if (obj.args.sessiontime != null) { sessionOptions.maxAge = (obj.args.sessiontime * 60000); } // sessiontime is minutes obj.app.use(obj.session(sessionOptions)); // Handle all incoming web sockets, see if some need to be handled as web relays @@ -6689,7 +6694,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF // No redirects allowed, fail here. This is important to make sure there is no redirect cascades res.sendStatus(404); } else { - // Request was made to a different host, redirect using the full URL so an HTTP cookie can be created on the other DNS name + // Request was made to a different host, redirect using the full URL so an HTTP cookie can be created on the other DNS name. const httpport = ((args.aliasport != null) ? args.aliasport : args.port); res.redirect('https://' + selectedHost + ((httpport != 443) ? (':' + httpport) : '') + req.url + '&noredirect=1'); }