Project

General

Profile

Actions

Feature #18172

closed

Transfer cookies via SSL only whenever possible

Added by Oliver Hader almost 17 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
-
Target version:
-
Start date:
2008-02-08
Due date:
% Done:

0%

Estimated time:
PHP Version:
5.2
Tags:
Complexity:
Sprint Focus:

Description

TYPYO3 sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack.

It is best business practice that any cookies that are sent (set-cookie) over an SSL connection to explicitly state secure on them.

This affects front-end and back-end.

see: http://de2.php.net/setcookie
(and compare how this is applied in TYPO3)

(issue imported from #M7461)


Files

0007461.patch (7.22 KB) 0007461.patch Administrator Admin, 2009-09-16 22:56
0007461_v3.patch (7.81 KB) 0007461_v3.patch Administrator Admin, 2009-09-30 18:48

Related issues 1 (0 open1 closed)

Has duplicate TYPO3 Core - Feature #19383: Make use of setcookie()'s additional parameters in t3lib_userAuth to prevent XSSClosedOliver Hader2008-09-27

Actions
Actions

Also available in: Atom PDF