WebUI: Implement "Secure" flag for session cookie

Closes #11724. Option is enabled by default for users using qBittorrent's built-in HTTPS capabilities. This flag will never be set if qBittorrent is using plain HTTP. Users using HTTPS reverse proxies, like "qbt <-> (http) <-> proxy <-> (https) <-> user" should override the flag in the proxy in order to set it, if they wish to do so.
2025-12-31 04:38:04 -06:00 · 2019-12-23 17:58:08 +00:00
parent 18de63f743
commit 691d5e5d89
8 changed files with 37 additions and 0 deletions
--- a/src/webui/api/appcontroller.cpp
+++ b/src/webui/api/appcontroller.cpp
@@ -239,6 +239,7 @@ void AppController::preferencesAction()
    // Security
    data["web_ui_clickjacking_protection_enabled"] = pref->isWebUiClickjackingProtectionEnabled();
    data["web_ui_csrf_protection_enabled"] = pref->isWebUiCSRFProtectionEnabled();
+    data["web_ui_secure_cookie_enabled"] = pref->isWebUiSecureCookieEnabled();
    data["web_ui_host_header_validation_enabled"] = pref->isWebUIHostHeaderValidationEnabled();
    // Update my dynamic domain name
    data["dyndns_enabled"] = pref->isDynDNSEnabled();
@@ -608,6 +609,8 @@ void AppController::setPreferencesAction()
        pref->setWebUiClickjackingProtectionEnabled(it.value().toBool());
    if (hasKey("web_ui_csrf_protection_enabled"))
        pref->setWebUiCSRFProtectionEnabled(it.value().toBool());
+    if (hasKey("web_ui_secure_cookie_enabled"))
+        pref->setWebUiSecureCookieEnabled(it.value().toBool());
    if (hasKey("web_ui_host_header_validation_enabled"))
        pref->setWebUIHostHeaderValidationEnabled(it.value().toBool());
    // Update my dynamic domain name
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@@ -337,6 +337,7 @@ void WebApplication::configure()

    m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
    m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
+    m_isSecureCookieEnabled = pref->isWebUiSecureCookieEnabled();
    m_isHostHeaderValidationEnabled = pref->isWebUIHostHeaderValidationEnabled();
    m_isHttpsEnabled = pref->isWebUiHttpsEnabled();

@@ -535,6 +536,7 @@ void WebApplication::sessionStart()

    QNetworkCookie cookie(C_SID, m_currentSession->id().toUtf8());
    cookie.setHttpOnly(true);
+    cookie.setSecure(m_isSecureCookieEnabled && m_isHttpsEnabled);
    cookie.setPath(QLatin1String("/"));
    QByteArray cookieRawForm = cookie.toRawForm();
    if (m_isCSRFProtectionEnabled)
--- a/src/webui/webapplication.h
+++ b/src/webui/webapplication.h
@@ -153,6 +153,7 @@ private:
    QStringList m_domainList;
    bool m_isClickjackingProtectionEnabled;
    bool m_isCSRFProtectionEnabled;
+    bool m_isSecureCookieEnabled;
    bool m_isHostHeaderValidationEnabled;
    bool m_isHttpsEnabled;
    QString m_contentSecurityPolicy;
--- a/src/webui/www/private/views/preferences.html
+++ b/src/webui/www/private/views/preferences.html
@@ -756,6 +756,10 @@
                <input type="checkbox" id="csrf_protection_checkbox" />
                <label for="csrf_protection_checkbox">QBT_TR(Enable Cross-Site Request Forgery (CSRF) protection)QBT_TR[CONTEXT=OptionsDialog]</label>
            </div>
+            <div class="formRow">
+                <input type="checkbox" id="secureCookieCheckbox" />
+                <label for="secureCookieCheckbox">QBT_TR(Enable cookie Secure flag (requires HTTPS))QBT_TR[CONTEXT=OptionsDialog]</label>
+            </div>

            <fieldset class="settings">
                <legend>
@@ -1350,6 +1354,7 @@
            const isUseHttpsEnabled = $('use_https_checkbox').getProperty('checked');
            $('ssl_cert_text').setProperty('disabled', !isUseHttpsEnabled);
            $('ssl_key_text').setProperty('disabled', !isUseHttpsEnabled);
+            $('secureCookieCheckbox').setProperty('disabled', !isUseHttpsEnabled);
        };

        const updateBypasssAuthSettings = function() {
@@ -1717,6 +1722,7 @@
                        // Security
                        $('clickjacking_protection_checkbox').setProperty('checked', pref.web_ui_clickjacking_protection_enabled);
                        $('csrf_protection_checkbox').setProperty('checked', pref.web_ui_csrf_protection_enabled);
+                        $('secureCookieCheckbox').setProperty('checked', pref.web_ui_secure_cookie_enabled);
                        $('host_header_validation_checkbox').setProperty('checked', pref.web_ui_host_header_validation_enabled);
                        updateHostHeaderValidationSettings();

@@ -2082,6 +2088,7 @@

            settings.set('web_ui_clickjacking_protection_enabled', $('clickjacking_protection_checkbox').getProperty('checked'));
            settings.set('web_ui_csrf_protection_enabled', $('csrf_protection_checkbox').getProperty('checked'));
+            settings.set('web_ui_secure_cookie_enabled', $('secureCookieCheckbox').getProperty('checked'));
            settings.set('web_ui_host_header_validation_enabled', $('host_header_validation_checkbox').getProperty('checked'));

            // Update my dynamic domain name