Feature #19383

Make use of setcookie()'s additional parameters in t3lib_userAuth to prevent XSS

Added by Marcus Krause over 11 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
-
Target version:
-
Start date:
2008-09-27
Due date:
% Done:

0%

PHP Version:
5.2
Tags:
Complexity:
Sprint Focus:

Description

Background:
Worst case in terms of XSS is the capture of an admin's cookie. If so, a malicious user has gained admin rights for TYPO3.
Proper use of $TYPO3_CONF_VARS['BE']['lockIP'] reduces the possibility of XSS but even when it's set to 4, it's no solution if all users are behind one proxy.

The feature request ...

setcookie()'s 6th parameter - secure:
This makes sure, that an cookie is only submitted though SSL connection. The parameter could be used for BE-User who are using SSL only. The implementation could be done without adding additional configuration parameters - Method start() has a check for FE/BE. Then you have to additionally check that $TYPO3_CONF_VARS['BE']['lockSSL'] is either set to 1 or 2. Done.

setcookie()'s 7th parameter - httponly (introduced in PHP 5.2):
This makes sure that a cookie is accessible through HTTP only and p.ex. not through JavaScript. Modern browsers do support the HttpOnly flag - Opera 9.5, Internet Explorer 7, and Firefox 3. The flag is highly valuable against XSS. Cookie-access though JS's document.cookie won't work anymore. Implementation would require an additional boolean parameter like $TYPO3_CONF_VARS['SYS']['cookieHttpOnly']. The flag could be used for both FE and BE users.

setcookie-manual: http://php.net/manual/en/function.setcookie.php
(issue imported from #M9440)


Related issues

Duplicates TYPO3 Core - Feature #18172: Transfer cookies via SSL only whenever possible Closed 2008-02-08

History

#1 Updated by Oliver Hader over 10 years ago

Duplicate of issue #18172 and solved there

#2 Updated by Benni Mack over 1 year ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF