Feature #18172

Transfer cookies via SSL only whenever possible

Added by Oliver Hader over 13 years ago. Updated almost 11 years ago.

Should have
Target version:
Start date:
Due date:
% Done:


Estimated time:
PHP Version:
Sprint Focus:


TYPYO3 sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack.

It is best business practice that any cookies that are sent (set-cookie) over an SSL connection to explicitly state secure on them.

This affects front-end and back-end.

see: http://de2.php.net/setcookie
(and compare how this is applied in TYPO3)

(issue imported from #M7461)


0007461.patch (7.22 KB) 0007461.patch Administrator Admin, 2009-09-16 22:56
0007461_v3.patch (7.81 KB) 0007461_v3.patch Administrator Admin, 2009-09-30 18:48

Related issues

Has duplicate TYPO3 Core - Feature #19383: Make use of setcookie()'s additional parameters in t3lib_userAuth to prevent XSSClosedOliver Hader2008-09-27


Updated by Marcus Krause about 12 years ago

Any objections to set status to public?
Imho, this does not describe a vulnerability - just an additional measurement to increase security.


Updated by Benni Mack almost 12 years ago

Hey Olly,

are you gonna prepare a patch for this? I recently noticed this issue as well when security-checking a website of a client of mine.


Updated by Oliver Hader almost 12 years ago

Hi Benni,
yes, I'm going to work on a solution for this tomorrow...


Updated by Marcus Krause almost 12 years ago

I'm looking forward to this patch. ;-)


Updated by Oliver Hader over 11 years ago

There are two new settings in TYPO3_CONF_VARS:
  • cookieSecure: Indicates that the cookie should only be transmitted over a secure HTTPS connection from the client
  • cookieHttpOnly: When enabled the cookie will be made accessible only through the HTTP protocol

I'm not sure what should happen, when cookieSecure is set but the server does not support HTTPS at all...


Updated by Daniel Poetzinger over 11 years ago

+1 on testing

To secureCookie - it would be good to have 3 modi:
0 - never with secure flag
1 - secure if possible (see below)
2 - only if secure connection (if no secure connection no cookie will be set at all!)

I think most secure way is 2

To 1:
a) if a user starts with http:// he gets an unsecure cookie. If he then switches to https - the cookie stays unsecure

b) user enters https:// - he gets an secure cookie. If user switch to http:// he gets a new session since TYPO3 "think" its a new user. If he then switch to https again its the same like (a).

Browsers seems to use always the last cookie that was send with a certain key.
(need to test IE6)


Updated by Oliver Hader over 11 years ago

Committed to SVN Trunk (rev. 6080)

Also available in: Atom PDF