[TYPO3-core] RFC: Feature #7461: Transfer cookies via SSL only whenever possible

Rupert Germann rupi at gmx.li
Wed Sep 30 19:17:17 CEST 2009


hi Olly,

+1 by reading and testing

greets
rupert



Oliver Hader schrieb:
> This is an SVN patch request.
> 
> Type: Feature / Security enhancement
> 
> Bugtracker references:
> http://bugs.typo3.org/view.php?id=7461
> 
> Branches: Trunk
> 
> Problem:
> TYPYO3 sets a cookie over a secure channel without using the "secure"
> attribute. RFC states that if the cookie does not have the secure
> attribute assigned to it, then the cookie can be passed to the server by
> the client over non-secure channels (http). Using this attack, an
> attacker may be able to intercept this cookie, over the non-secure
> channel, and use it for a session hijacking attack.
> 
> Solution:
> Use the PHP setcookie() method with the addtional parameters "secure"
> and "httpOnly" (description from PHP.net):
> 
> secure: Indicates that the cookie should only be transmitted over a
> secure HTTPS connection from the client. When set to TRUE, the cookie
> will only be set if a secure connection exists. The default is FALSE. On
> the server-side, it's on the programmer to send this kind of cookie only
> on secure connection (e.g. with respect to $_SERVER["HTTPS"]).
> 
> httpOnly: When TRUE the cookie will be made accessible only through the
> HTTP protocol. This means that the cookie won't be accessible by
> scripting languages, such as JavaScript. This setting can effectively
> help to reduce identity theft through XSS attacks (although it is not
> supported by all browsers). Added in PHP 5.2.0. TRUE or FALSE
> 
> In TYPO3_CONF_VARS[SYS] two new settings are introduced:
> * cookieSecure: Integer 0, 1, 2
>   + 0: do not use the secure flag
>   + 1: only use the secure flag (force SSL) and do not set cookie if no
> HTTPS connction exists
>   + 2: use secure flag only if HTTPS connection exists, otherwise don't
> use that flag but set the regular cookie
> * cookieHttpOnly: Boolean
> 
> 
> olly
> 


More information about the TYPO3-team-core mailing list