[TYPO3-v4] Enable $TYPO3_CONF_VARS['SYS']['cookieHttpOnly'] by default in 4.7
Helmut Hummel
helmut.hummel at typo3.org
Sun Jan 15 12:29:39 CET 2012
Hi Steffen!
I'm also annoyed by the fact we could not set this option by default.[1]
Nevertheless, thanks for bringing this up again, as I now took the
chance to again dig into this.
On 14.01.12 03:29, Steffen Müller wrote:
> Hi.
>
> On 14.01.2012 01:12 Steffen Gebert wrote:
>> not verified, but I guess the Flash Uploader (swfupload) in the backend
>> requires cookies.
>
> flash s*cks so much.
Yepp! Flash has a bug in regard of properly sending cookies.[2]
This is why sfupload introduced a plugin, which reads the cookies by
JavaScript and sends them as an additional POST parameter. Thus the
cookies must be accessible through JavaScript.[3]
But fixing that turned out to be relatively easy. We only need to send
the session id in the HTML body.
Since the session id is "disclosed" anyway in the cookie on the client
side, I do not see any downside in doing so.
I added a patch which does that.[4]
This patch also changes the t3lib_userauth to only accept POST values
because sending the session id via GET is nothing we need nor want.
Kind regards,
Helmut
[1]http://forge.typo3.org/issues/24647
[2]http://swfupload.org/forum/generaldiscussion/383
[3]http://demo.swfupload.org/Documentation/
[4]http://forge.typo3.org/attachments/19842/24647.diff
--
Helmut Hummel
TYPO3 Security Team Leader, TYPO3 v4 Core Team Member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-project-v4
mailing list