Improving Cookie Security
In FileCloud versions prior to 23.1 and in FileCloud version 23.241 and later, TONIDOCLOUD_SECURE_COOKIE is disabled by default.
In FileCloud versions 23.1 and 23.232, TONIDOCLOUD_SECURE_COOKIE is enabled by default.
Defending your browser from CSRF attacks
To defend your browser from cross-site request forgery (CSRF) attacks , you can add a cookie same-site setting to FileCloud.
The cookie same-site value can be set to the following, as stated in the MDN Web Docs site at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite:
- Lax - Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (i.e., when following a link).
- Strict - Cookies will only be sent in a first-party context and not be sent along with requests initiated by third-party websites.
- None - Cookies will be sent in all contexts, i.e. in responses to both first-party and cross-origin requests. If SameSite=None is set, the cookie Secure attribute must also be set (or the cookie will be blocked).
To set the Secure attribute, see Adding httponly and secure flags, below.
For more information, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite.
To specify a cookie same-site value:
- Open cloudconfig.php:
Windows Location: XAMPP DIRECTORY/htdocs/config/cloudconfig.php
Linux Location: /var/www/config/cloudconfig.phpTo set the cookie same-site setting to strict, add:
define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "Strict");
To set the cookie same-site setting to lax (the default), add:
define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "Lax");
To set the cookie same-site setting to none, add:
define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "None");
Adding httponly and secure flags
You can take additional steps to make your cookies secure from external attacks by adding httponly and secure flags when sending cookies through HTTP headers.
What do httponly and secure flags do?
- A cookie can be accessed through http or through client-side Javascript. An httponly flag blocks access to a cookie from the client side (Javascript) by only allowing it to be accessed by http.
- Most sites are accessed by https, but some sites may also be accessed by http or some of their components may be sent through http. This leaves cookies vulnerable to being accessed over http. A secure flag prevents them from being accessed through http by only allowing them to be transmitted over https.
To configure FileCloud to always use the httponly and secure flags in HTTP headers:
- Open cloudconfig.php.
- Windows Location : C:\xampp\htdocs\config\cloudconfig.php
- Linux Location : /var/www/html/config/cloudconfig.php
Add the following:
define("TONIDOCLOUD_SECURE_COOKIE", 1); define("TONIDOCLOUD_HTTPONLY_COOKIE", 1);
Recommended and default settings
The recommended values for the cookie settings are the following:
define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "Strict"); define("TONIDOCLOUD_SECURE_COOKIE", 1); define("TONIDOCLOUD_HTTPONLY_COOKIE", 1);
However, if you are using FileCloud for Office, you must set the same-site cookie value to None for the feature to function.
define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "None");
If you are using FileCloud 23.241 or later:
Your default settings are:
define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "Strict"); define("TONIDOCLOUD_SECURE_COOKIE", 0); define("TONIDOCLOUD_HTTPONLY_COOKIE", 1);
If you are using FileCloud 23.1 or later:
The above recommended settings are the same as your default settings:
define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "Strict"); define("TONIDOCLOUD_SECURE_COOKIE", 1); define("TONIDOCLOUD_HTTPONLY_COOKIE", 1);
If you are using a version of FileCloud prior to 23.1:
Your default settings are:
define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "None"); define("TONIDOCLOUD_SECURE_COOKIE", 0); define("TONIDOCLOUD_HTTPONLY_COOKIE", 0);
You may copy the recommended settings, which are stored in cloudconfig-sample.php into cloudconfig.php to override the defaults.
Integration with MS Teams
If you have integrated your system with MS Teams, and login frequently redirects users back to the login page:
- Open cloudconfig.php:
Windows Location: XAMPP DIRECTORY/htdocs/config/cloudconfig.php
Linux Location: /var/www/config/cloudconfig.php Add the following settings:
define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "None"); define("TONIDOCLOUD_SECURE_COOKIE", 1); define("TONIDOCLOUD_HTTPONLY_COOKIE", 1);