[TYPO3-core] RFC: Feature #7461: Transfer cookies via SSL only whenever possible
Oliver Hader
oliver at typo3.org
Wed Sep 30 18:57:41 CEST 2009
This is an SVN patch request.
Type: Feature / Security enhancement
Bugtracker references:
http://bugs.typo3.org/view.php?id=7461
Branches: Trunk
Problem:
TYPYO3 sets a cookie over a secure channel without using the "secure"
attribute. RFC states that if the cookie does not have the secure
attribute assigned to it, then the cookie can be passed to the server by
the client over non-secure channels (http). Using this attack, an
attacker may be able to intercept this cookie, over the non-secure
channel, and use it for a session hijacking attack.
Solution:
Use the PHP setcookie() method with the addtional parameters "secure"
and "httpOnly" (description from PHP.net):
secure: Indicates that the cookie should only be transmitted over a
secure HTTPS connection from the client. When set to TRUE, the cookie
will only be set if a secure connection exists. The default is FALSE. On
the server-side, it's on the programmer to send this kind of cookie only
on secure connection (e.g. with respect to $_SERVER["HTTPS"]).
httpOnly: When TRUE the cookie will be made accessible only through the
HTTP protocol. This means that the cookie won't be accessible by
scripting languages, such as JavaScript. This setting can effectively
help to reduce identity theft through XSS attacks (although it is not
supported by all browsers). Added in PHP 5.2.0. TRUE or FALSE
In TYPO3_CONF_VARS[SYS] two new settings are introduced:
* cookieSecure: Integer 0, 1, 2
+ 0: do not use the secure flag
+ 1: only use the secure flag (force SSL) and do not set cookie if no
HTTPS connction exists
+ 2: use secure flag only if HTTPS connection exists, otherwise don't
use that flag but set the regular cookie
* cookieHttpOnly: Boolean
olly
--
Oliver Hader
TYPO3 Release Manager 4.3
More information about the TYPO3-team-core
mailing list