Transfer cookies via SSL only whenever possible
TYPYO3 sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack.
It is best business practice that any cookies that are sent (set-cookie) over an SSL connection to explicitly state secure on them.
This affects front-end and back-end.
(and compare how this is applied in TYPO3)
(issue imported from #M7461)
#5 Updated by Oliver Hader over 10 years ago
- cookieSecure: Indicates that the cookie should only be transmitted over a secure HTTPS connection from the client
- cookieHttpOnly: When enabled the cookie will be made accessible only through the HTTP protocol
I'm not sure what should happen, when cookieSecure is set but the server does not support HTTPS at all...
#6 Updated by Daniel Poetzinger over 10 years ago
+1 on testing
To secureCookie - it would be good to have 3 modi:
0 - never with secure flag
1 - secure if possible (see below)
2 - only if secure connection (if no secure connection no cookie will be set at all!)
I think most secure way is 2
a) if a user starts with http:// he gets an unsecure cookie. If he then switches to https - the cookie stays unsecure
b) user enters https:// - he gets an secure cookie. If user switch to http:// he gets a new session since TYPO3 "think" its a new user. If he then switch to https again its the same like (a).
Browsers seems to use always the last cookie that was send with a certain key.
(need to test IE6)