Feature #24647: Enable cookieHttpOnly by default - TYPO3 Core - TYPO3 Forge

Actions

Feature #24647

closed

Enable cookieHttpOnly by default

Added by Helmut Hummel almost 14 years ago. Updated about 7 years ago.

Status:

Closed

Priority:

Should have

Assignee:

Category:

Install Tool

Target version:

Start date:

2011-01-18

Due date:

% Done:

100%

Estimated time:

PHP Version:

Tags:

Complexity:

easy

Sprint Focus:

Description

Problem:
In case of an existing Cross Site Scripting vulnerability, it is possible to "steal" session cookies enabling the attacker to probably take over the user session.

Solution:
Enable cookieHttpOnly by default, which prevents JavaScript from accessing the session cookie. While this is not supported in older browsers, it works with all modern browsers and it does not cause any side effects (not to my knowlege).

(issue imported from #M17124)

Related issues 2 (0 open — 2 closed)

Actions

#1

Updated by Steffen Gebert almost 14 years ago

Sorry, I disagree. We AFAIK need the cookie in the File Uploaders in BE and I think ExtDirect, too. Although I'd really like to see this activated, I think it's not possible.

Can't judge exactly for the FE.

Actions

#2

Updated by Helmut Hummel almost 14 years ago

Sad, but I can confirm that the flash uploader does not work with that setting. Probably flash needs to get the cookie by javascript to send it back.

pulpuload worked and I really don't know why extDirect should need it.

I have this active on several customer sites and did not have any problems (except the flash uploader, which I though was another bug), neither in the backend nor in the frontend (TYPO3 4.4.x)

But I agree this needs further investigation, so postponed for 4.6

Actions

#3

Updated by Steffen Gebert almost 14 years ago

Umm.. maybe because you used the HTML5 engine of plupload?

Actions

#4

Updated by Xavier Perseguers over 13 years ago

Target version deleted (~~4.6.0-beta1~~)

Actions

#5

Updated by Helmut Hummel almost 13 years ago

File 24647.diff added
TYPO3 Version changed from 4.5 to 4.7

Here's a patch for the flash upload functionality which makes it possible to set this option by default.

Actions

#6

Updated by Helmut Hummel almost 13 years ago

File deleted (~~24647.diff~~)

Actions

#7

Updated by Helmut Hummel almost 13 years ago

Moved the patch to #23521

Actions

#8

Updated by Ernesto Baschny about 11 years ago

Category set to Install Tool
Status changed from New to Accepted
Assignee set to Christian Kuhn
Target version set to 6.2.0
Complexity set to easy

We discussed this in the release team today and agreed that this should be the new default starting with 6.2.

Actions

#9

Updated by Gerrit Code Review about 11 years ago

Status changed from Accepted to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/25122

Actions

#10

Updated by Gerrit Code Review about 11 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/25122

Actions

#11

Updated by Tomita Militaru about 11 years ago

Status changed from Under Review to Resolved
% Done changed from 0 to 100

Applied in changeset 227a4b3436aa295e7cd3e4c71e86c94141d14e88.

Actions

#12

Updated by Markus Klein almost 11 years ago

Missing documentation ticket!!!

Actions

#13

Updated by Chris topher almost 11 years ago

See #24647 for the Security Guide.

Actions

#14

Updated by Steffen Müller almost 11 years ago

See also in NEWS.txt #53291

Actions

#15

Updated by Riccardo De Contardi about 7 years ago

Status changed from Resolved to Closed

Actions

Also available in: Atom PDF