Project

General

Profile

Actions

Feature #18172

closed

Transfer cookies via SSL only whenever possible

Added by Oliver Hader about 16 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
-
Target version:
-
Start date:
2008-02-08
Due date:
% Done:

0%

Estimated time:
PHP Version:
5.2
Tags:
Complexity:
Sprint Focus:

Description

TYPYO3 sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack.

It is best business practice that any cookies that are sent (set-cookie) over an SSL connection to explicitly state secure on them.

This affects front-end and back-end.

see: http://de2.php.net/setcookie
(and compare how this is applied in TYPO3)

(issue imported from #M7461)


Files

0007461.patch (7.22 KB) 0007461.patch Administrator Admin, 2009-09-16 22:56
0007461_v3.patch (7.81 KB) 0007461_v3.patch Administrator Admin, 2009-09-30 18:48

Related issues 1 (0 open1 closed)

Has duplicate TYPO3 Core - Feature #19383: Make use of setcookie()'s additional parameters in t3lib_userAuth to prevent XSSClosedOliver Hader2008-09-27

Actions
Actions #1

Updated by Marcus Krause almost 15 years ago

Any objections to set status to public?
Imho, this does not describe a vulnerability - just an additional measurement to increase security.

Actions #2

Updated by Benni Mack over 14 years ago

Hey Olly,

are you gonna prepare a patch for this? I recently noticed this issue as well when security-checking a website of a client of mine.

Actions #3

Updated by Oliver Hader over 14 years ago

Hi Benni,
yes, I'm going to work on a solution for this tomorrow...

Actions #4

Updated by Marcus Krause over 14 years ago

I'm looking forward to this patch. ;-)

Actions #5

Updated by Oliver Hader over 14 years ago

There are two new settings in TYPO3_CONF_VARS:
  • cookieSecure: Indicates that the cookie should only be transmitted over a secure HTTPS connection from the client
  • cookieHttpOnly: When enabled the cookie will be made accessible only through the HTTP protocol

I'm not sure what should happen, when cookieSecure is set but the server does not support HTTPS at all...

Actions #6

Updated by Daniel Poetzinger over 14 years ago

+1 on testing

To secureCookie - it would be good to have 3 modi:
0 - never with secure flag
1 - secure if possible (see below)
2 - only if secure connection (if no secure connection no cookie will be set at all!)

I think most secure way is 2

To 1:
a) if a user starts with http:// he gets an unsecure cookie. If he then switches to https - the cookie stays unsecure

b) user enters https:// - he gets an secure cookie. If user switch to http:// he gets a new session since TYPO3 "think" its a new user. If he then switch to https again its the same like (a).

Browsers seems to use always the last cookie that was send with a certain key.
(need to test IE6)

Actions #7

Updated by Oliver Hader over 14 years ago

Committed to SVN Trunk (rev. 6080)

Actions

Also available in: Atom PDF