Feature #18172
closed
Transfer cookies via SSL only whenever possible
Added by Oliver Hader almost 17 years ago.
Updated over 14 years ago.
Description
TYPYO3 sets a cookie over a secure channel without using the "secure" attribute. RFC states that if the cookie does not have the secure attribute assigned to it, then the cookie can be passed to the server by the client over non-secure channels (http). Using this attack, an attacker may be able to intercept this cookie, over the non-secure channel, and use it for a session hijacking attack.
It is best business practice that any cookies that are sent (set-cookie) over an SSL connection to explicitly state secure on them.
This affects front-end and back-end.
see: http://de2.php.net/setcookie
(and compare how this is applied in TYPO3)
(issue imported from #M7461)
Files
Any objections to set status to public?
Imho, this does not describe a vulnerability - just an additional measurement to increase security.
Hey Olly,
are you gonna prepare a patch for this? I recently noticed this issue as well when security-checking a website of a client of mine.
Hi Benni,
yes, I'm going to work on a solution for this tomorrow...
I'm looking forward to this patch. ;-)
There are two new settings in TYPO3_CONF_VARS:
- cookieSecure: Indicates that the cookie should only be transmitted over a secure HTTPS connection from the client
- cookieHttpOnly: When enabled the cookie will be made accessible only through the HTTP protocol
I'm not sure what should happen, when cookieSecure is set but the server does not support HTTPS at all...
+1 on testing
To secureCookie - it would be good to have 3 modi:
0 - never with secure flag
1 - secure if possible (see below)
2 - only if secure connection (if no secure connection no cookie will be set at all!)
I think most secure way is 2
To 1:
a) if a user starts with http:// he gets an unsecure cookie. If he then switches to https - the cookie stays unsecure
b) user enters https:// - he gets an secure cookie. If user switch to http:// he gets a new session since TYPO3 "think" its a new user. If he then switch to https again its the same like (a).
Browsers seems to use always the last cookie that was send with a certain key.
(need to test IE6)
Committed to SVN Trunk (rev. 6080)
Also available in: Atom
PDF