Feature #19383

Make use of setcookie()'s additional parameters in t3lib_userAuth to prevent XSS

Added by Marcus Krause over 11 years ago. Updated over 1 year ago.

Should have
Target version:
Start date:
Due date:
% Done:


PHP Version:
Sprint Focus:


Worst case in terms of XSS is the capture of an admin's cookie. If so, a malicious user has gained admin rights for TYPO3.
Proper use of $TYPO3_CONF_VARS['BE']['lockIP'] reduces the possibility of XSS but even when it's set to 4, it's no solution if all users are behind one proxy.

The feature request ...

setcookie()'s 6th parameter - secure:
This makes sure, that an cookie is only submitted though SSL connection. The parameter could be used for BE-User who are using SSL only. The implementation could be done without adding additional configuration parameters - Method start() has a check for FE/BE. Then you have to additionally check that $TYPO3_CONF_VARS['BE']['lockSSL'] is either set to 1 or 2. Done.

setcookie()'s 7th parameter - httponly (introduced in PHP 5.2):
This makes sure that a cookie is accessible through HTTP only and p.ex. not through JavaScript. Modern browsers do support the HttpOnly flag - Opera 9.5, Internet Explorer 7, and Firefox 3. The flag is highly valuable against XSS. Cookie-access though JS's document.cookie won't work anymore. Implementation would require an additional boolean parameter like $TYPO3_CONF_VARS['SYS']['cookieHttpOnly']. The flag could be used for both FE and BE users.

setcookie-manual: http://php.net/manual/en/function.setcookie.php
(issue imported from #M9440)

Related issues

Duplicates TYPO3 Core - Feature #18172: Transfer cookies via SSL only whenever possible Closed 2008-02-08


#1 Updated by Oliver Hader over 10 years ago

Duplicate of issue #18172 and solved there

#2 Updated by Benni Mack over 1 year ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF