From cc6147e87a49a610babfb5e09259757cef2374c5 Mon Sep 17 00:00:00 2001
From: Alex Bogdanovski <alex@erudika.com>
Date: Tue, 2 Jan 2024 16:08:54 +0200
Subject: [PATCH] fixed all cookies should be HttpOnly since JS code does not
 read any of them

---
 .../scoold/controllers/LanguagesController.java     |  2 +-
 .../scoold/controllers/PeopleController.java        |  4 ++--
 .../scoold/controllers/QuestionsController.java     |  4 ++--
 .../java/com/erudika/scoold/utils/HttpUtils.java    | 13 +++++--------
 .../java/com/erudika/scoold/utils/ScooldUtils.java  |  2 +-
 5 files changed, 11 insertions(+), 14 deletions(-)

diff --git a/src/main/java/com/erudika/scoold/controllers/LanguagesController.java b/src/main/java/com/erudika/scoold/controllers/LanguagesController.java
index cc506097..afd90d15 100755
--- a/src/main/java/com/erudika/scoold/controllers/LanguagesController.java
+++ b/src/main/java/com/erudika/scoold/controllers/LanguagesController.java
@@ -66,7 +66,7 @@ public String post(@PathVariable String langkey, HttpServletRequest req, HttpSer
 		Locale locale = utils.getCurrentLocale(langkey);
 		if (locale != null) {
 			int maxAge = 60 * 60 * 24 * 365;  //1 year
-			HttpUtils.setRawCookie(ScooldUtils.getConfig().localeCookie(), locale.toString(), req, res, false, "Strict", maxAge);
+			HttpUtils.setRawCookie(ScooldUtils.getConfig().localeCookie(), locale.toString(), req, res, "Strict", maxAge);
 		}
 		return "redirect:" + LANGUAGESLINK;
 	}
diff --git a/src/main/java/com/erudika/scoold/controllers/PeopleController.java b/src/main/java/com/erudika/scoold/controllers/PeopleController.java
index ac64cf4b..8f5eea89 100755
--- a/src/main/java/com/erudika/scoold/controllers/PeopleController.java
+++ b/src/main/java/com/erudika/scoold/controllers/PeopleController.java
@@ -167,7 +167,7 @@ public String applyFilter(@RequestParam(required = false) String sortby, @Reques
 				p.setSelect(spacesList);
 				savePagerToCookie(req, res, p);
 				HttpUtils.setRawCookie("users-view-compact", compactViewEnabled,
-						req, res, false, "Strict", (int) TimeUnit.DAYS.toSeconds(365));
+						req, res, "Strict", (int) TimeUnit.DAYS.toSeconds(365));
 			}
 		}
 		return "redirect:" + PEOPLELINK + (bulkedit ? "/bulk-edit" : "") + (StringUtils.isBlank(sortby) ? "" : "?sortby="
@@ -263,7 +263,7 @@ public String getName() {
 	private void savePagerToCookie(HttpServletRequest req, HttpServletResponse res, Pager p) {
 		try {
 			HttpUtils.setRawCookie("users-filter", Utils.base64enc(ParaObjectUtils.getJsonWriterNoIdent().
-					writeValueAsBytes(p)), req, res, false, "Strict", (int) TimeUnit.DAYS.toSeconds(365));
+					writeValueAsBytes(p)), req, res, "Strict", (int) TimeUnit.DAYS.toSeconds(365));
 		} catch (JsonProcessingException ex) { }
 	}
 
diff --git a/src/main/java/com/erudika/scoold/controllers/QuestionsController.java b/src/main/java/com/erudika/scoold/controllers/QuestionsController.java
index 2bd8eaba..5b69712b 100755
--- a/src/main/java/com/erudika/scoold/controllers/QuestionsController.java
+++ b/src/main/java/com/erudika/scoold/controllers/QuestionsController.java
@@ -184,7 +184,7 @@ public String applyFilter(@RequestParam(required = false) String sortby, @Reques
 			}
 			savePagerToCookie(req, res, p);
 			HttpUtils.setRawCookie("questions-view-compact", compactViewEnabled,
-					req, res, false, "Strict", (int) TimeUnit.DAYS.toSeconds(365));
+					req, res, "Strict", (int) TimeUnit.DAYS.toSeconds(365));
 		}
 		return "redirect:" + QUESTIONSLINK + (StringUtils.isBlank(sortby) ? "" : "?sortby="
 				+ Optional.ofNullable(StringUtils.trimToNull(sortby)).orElse(tab));
@@ -476,7 +476,7 @@ public String getName() {
 	private void savePagerToCookie(HttpServletRequest req, HttpServletResponse res, Pager p) {
 		try {
 			HttpUtils.setRawCookie("questions-filter", Utils.base64enc(ParaObjectUtils.getJsonWriterNoIdent().
-					writeValueAsBytes(p)), req, res, false, "Strict", (int) TimeUnit.DAYS.toSeconds(365));
+					writeValueAsBytes(p)), req, res, "Strict", (int) TimeUnit.DAYS.toSeconds(365));
 		} catch (JsonProcessingException ex) { }
 	}
 
diff --git a/src/main/java/com/erudika/scoold/utils/HttpUtils.java b/src/main/java/com/erudika/scoold/utils/HttpUtils.java
index d04e7543..2870dd29 100644
--- a/src/main/java/com/erudika/scoold/utils/HttpUtils.java
+++ b/src/main/java/com/erudika/scoold/utils/HttpUtils.java
@@ -125,7 +125,7 @@ public static void setStateParam(String name, String value, HttpServletRequest r
 	 */
 	public static void setStateParam(String name, String value, HttpServletRequest req,
 			HttpServletResponse res, boolean httpOnly) {
-		setRawCookie(name, value, req, res, httpOnly, null, -1);
+		setRawCookie(name, value, req, res, null, -1);
 	}
 
 	/**
@@ -146,7 +146,7 @@ public static String getStateParam(String name, HttpServletRequest req) {
 	 */
 	public static void removeStateParam(String name, HttpServletRequest req,
 			HttpServletResponse res) {
-		setRawCookie(name, "", req, res, false, null, 0);
+		setRawCookie(name, "", req, res, null, 0);
 	}
 
 	/**
@@ -155,12 +155,11 @@ public static void removeStateParam(String name, HttpServletRequest req,
 	 * @param value the value
 	 * @param req HTTP request
 	 * @param res HTTP response
-	 * @param httpOnly HTTP only flag
 	 * @param sameSite SameSite flag
 	 * @param maxAge max age
 	 */
 	public static void setRawCookie(String name, String value, HttpServletRequest req,
-			HttpServletResponse res, boolean httpOnly, String sameSite, int maxAge) {
+			HttpServletResponse res, String sameSite, int maxAge) {
 		if (StringUtils.isBlank(name) || value == null || req == null || res == null) {
 			return;
 		}
@@ -172,9 +171,7 @@ public static void setRawCookie(String name, String value, HttpServletRequest re
 		sb.append("Path=").append(path).append(";");
 		sb.append("Expires=").append(expires).append(";");
 		sb.append("Max-Age=").append(maxAge < 0 ? CONF.sessionTimeoutSec() : maxAge).append(";");
-		if (httpOnly) {
-			sb.append("HttpOnly;");
-		}
+		sb.append("HttpOnly;"); // all cookies should be HttpOnly, JS does not need to read cookie values
 		if (StringUtils.startsWithIgnoreCase(CONF.serverUrl(), "https://") || req.isSecure()) {
 			sb.append("Secure;");
 		}
@@ -274,7 +271,7 @@ public static void setAuthCookie(String jwt, HttpServletRequest req, HttpServlet
 		if (StringUtils.isBlank(jwt)) {
 			return;
 		}
-		setRawCookie(CONF.authCookie(), jwt, req, res, true, "Lax", CONF.sessionTimeoutSec());
+		setRawCookie(CONF.authCookie(), jwt, req, res, "Lax", CONF.sessionTimeoutSec());
 	}
 
 	/**
diff --git a/src/main/java/com/erudika/scoold/utils/ScooldUtils.java b/src/main/java/com/erudika/scoold/utils/ScooldUtils.java
index fee52301..6f1d45a0 100755
--- a/src/main/java/com/erudika/scoold/utils/ScooldUtils.java
+++ b/src/main/java/com/erudika/scoold/utils/ScooldUtils.java
@@ -1410,7 +1410,7 @@ public void storeSpaceIdInCookie(String space, HttpServletRequest req, HttpServl
 		// used for setting the space from a direct URL to a particular space
 		req.setAttribute(CONF.spaceCookie(), space);
 		HttpUtils.setRawCookie(CONF.spaceCookie(), Utils.base64encURL(space.getBytes()),
-				req, res, true, "Strict", StringUtils.isBlank(space) ? 0 : 365 * 24 * 60 * 60);
+				req, res, "Strict", StringUtils.isBlank(space) ? 0 : 365 * 24 * 60 * 60);
 	}
 
 	public String verifyExistingSpace(Profile authUser, String space) {