Feature #24647

Enable cookieHttpOnly by default

Added by Helmut Hummel over 6 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Should have
Category:
Install Tool
Target version:
Start date:
2011-01-18
Due date:
% Done:

100%

PHP Version:
Tags:
Complexity:
easy
Sprint Focus:

Description

Problem:
In case of an existing Cross Site Scripting vulnerability, it is possible to "steal" session cookies enabling the attacker to probably take over the user session.

Solution:
Enable cookieHttpOnly by default, which prevents JavaScript from accessing the session cookie. While this is not supported in older browsers, it works with all modern browsers and it does not cause any side effects (not to my knowlege).

(issue imported from #M17124)


Related issues

Related to Core - Bug #23521: Flash Uploader does not work if cookieHttpOnly is enabled Rejected 2010-09-09
Related to Core - Task #53291: Mention new default value for HttpOnly-cookie in NEWS.txt Resolved 2013-11-03
Precedes Security Guide - Task #53875: Add information about $TYPO3_CONF_VARS['SYS']['cookieHttpOnly'] Resolved 2013-11-22 2014-03-18

Associated revisions

Revision 227a4b34 (diff)
Added by Tomita Militaru almost 4 years ago

[FEATURE] Enable cookieHttpOnly by default

Enable cookieHttpOnly by default, which prevents
JavaScript from accessing the session cookie

Resolves: #24647
Releases: 6.2
Change-Id: Id000c9221232aeae325c82db079539564cd36b93
Reviewed-on: https://review.typo3.org/25122
Reviewed-by: Ingo Schmitt
Reviewed-by: Oliver Klee
Reviewed-by: Wouter Wolters
Reviewed-by: Steffen Müller
Tested-by: Steffen Müller

History

#1 Updated by Steffen Gebert over 6 years ago

Sorry, I disagree. We AFAIK need the cookie in the File Uploaders in BE and I think ExtDirect, too. Although I'd really like to see this activated, I think it's not possible.

Can't judge exactly for the FE.

#2 Updated by Helmut Hummel over 6 years ago

Sad, but I can confirm that the flash uploader does not work with that setting. Probably flash needs to get the cookie by javascript to send it back.

pulpuload worked and I really don't know why extDirect should need it.

I have this active on several customer sites and did not have any problems (except the flash uploader, which I though was another bug), neither in the backend nor in the frontend (TYPO3 4.4.x)

But I agree this needs further investigation, so postponed for 4.6

#3 Updated by Steffen Gebert over 6 years ago

Umm.. maybe because you used the HTML5 engine of plupload?

#4 Updated by Xavier Perseguers about 6 years ago

  • Target version deleted (4.6.0-beta1)

#5 Updated by Helmut Hummel over 5 years ago

  • File 24647.diff added
  • TYPO3 Version changed from 4.5 to 4.7

Here's a patch for the flash upload functionality which makes it possible to set this option by default.

#6 Updated by Helmut Hummel over 5 years ago

  • File deleted (24647.diff)

#7 Updated by Helmut Hummel over 5 years ago

Moved the patch to #23521

#8 Updated by Ernesto Baschny almost 4 years ago

  • Category set to Install Tool
  • Status changed from New to Accepted
  • Assignee set to Christian Kuhn
  • Target version set to 6.2.0
  • Complexity set to easy

We discussed this in the release team today and agreed that this should be the new default starting with 6.2.

#9 Updated by Gerrit Code Review almost 4 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/25122

#10 Updated by Gerrit Code Review almost 4 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/25122

#11 Updated by Tomita Militaru almost 4 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#12 Updated by Markus Klein almost 4 years ago

Missing documentation ticket!!!

#13 Updated by Chris topher almost 4 years ago

See #24647 for the Security Guide.

#14 Updated by Steffen Müller almost 4 years ago

See also in NEWS.txt #53291

Also available in: Atom PDF