[TYPO3-core] RFC: Feature #7461: Transfer cookies via SSL only whenever possible
Rupert Germann
rupi at gmx.li
Wed Sep 30 19:17:17 CEST 2009
hi Olly,
+1 by reading and testing
greets
rupert
Oliver Hader schrieb:
> This is an SVN patch request.
>
> Type: Feature / Security enhancement
>
> Bugtracker references:
> http://bugs.typo3.org/view.php?id=7461
>
> Branches: Trunk
>
> Problem:
> TYPYO3 sets a cookie over a secure channel without using the "secure"
> attribute. RFC states that if the cookie does not have the secure
> attribute assigned to it, then the cookie can be passed to the server by
> the client over non-secure channels (http). Using this attack, an
> attacker may be able to intercept this cookie, over the non-secure
> channel, and use it for a session hijacking attack.
>
> Solution:
> Use the PHP setcookie() method with the addtional parameters "secure"
> and "httpOnly" (description from PHP.net):
>
> secure: Indicates that the cookie should only be transmitted over a
> secure HTTPS connection from the client. When set to TRUE, the cookie
> will only be set if a secure connection exists. The default is FALSE. On
> the server-side, it's on the programmer to send this kind of cookie only
> on secure connection (e.g. with respect to $_SERVER["HTTPS"]).
>
> httpOnly: When TRUE the cookie will be made accessible only through the
> HTTP protocol. This means that the cookie won't be accessible by
> scripting languages, such as JavaScript. This setting can effectively
> help to reduce identity theft through XSS attacks (although it is not
> supported by all browsers). Added in PHP 5.2.0. TRUE or FALSE
>
> In TYPO3_CONF_VARS[SYS] two new settings are introduced:
> * cookieSecure: Integer 0, 1, 2
> + 0: do not use the secure flag
> + 1: only use the secure flag (force SSL) and do not set cookie if no
> HTTPS connction exists
> + 2: use secure flag only if HTTPS connection exists, otherwise don't
> use that flag but set the regular cookie
> * cookieHttpOnly: Boolean
>
>
> olly
>
More information about the TYPO3-team-core
mailing list