Project

General

Profile

Actions

Feature #24647

closed

Enable cookieHttpOnly by default

Added by Helmut Hummel almost 14 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Should have
Category:
Install Tool
Target version:
Start date:
2011-01-18
Due date:
% Done:

100%

Estimated time:
PHP Version:
Tags:
Complexity:
easy
Sprint Focus:

Description

Problem:
In case of an existing Cross Site Scripting vulnerability, it is possible to "steal" session cookies enabling the attacker to probably take over the user session.

Solution:
Enable cookieHttpOnly by default, which prevents JavaScript from accessing the session cookie. While this is not supported in older browsers, it works with all modern browsers and it does not cause any side effects (not to my knowlege).

(issue imported from #M17124)


Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Bug #23521: Flash Uploader does not work if cookieHttpOnly is enabledRejectedSteffen Gebert2010-09-09

Actions
Related to TYPO3 Core - Task #53291: Mention new default value for HttpOnly-cookie in NEWS.txtClosed2013-11-03

Actions
Actions #1

Updated by Steffen Gebert almost 14 years ago

Sorry, I disagree. We AFAIK need the cookie in the File Uploaders in BE and I think ExtDirect, too. Although I'd really like to see this activated, I think it's not possible.

Can't judge exactly for the FE.

Actions #2

Updated by Helmut Hummel almost 14 years ago

Sad, but I can confirm that the flash uploader does not work with that setting. Probably flash needs to get the cookie by javascript to send it back.

pulpuload worked and I really don't know why extDirect should need it.

I have this active on several customer sites and did not have any problems (except the flash uploader, which I though was another bug), neither in the backend nor in the frontend (TYPO3 4.4.x)

But I agree this needs further investigation, so postponed for 4.6

Actions #3

Updated by Steffen Gebert almost 14 years ago

Umm.. maybe because you used the HTML5 engine of plupload?

Actions #4

Updated by Xavier Perseguers over 13 years ago

  • Target version deleted (4.6.0-beta1)
Actions #5

Updated by Helmut Hummel almost 13 years ago

  • File 24647.diff added
  • TYPO3 Version changed from 4.5 to 4.7

Here's a patch for the flash upload functionality which makes it possible to set this option by default.

Actions #6

Updated by Helmut Hummel almost 13 years ago

  • File deleted (24647.diff)
Actions #7

Updated by Helmut Hummel almost 13 years ago

Moved the patch to #23521

Actions #8

Updated by Ernesto Baschny about 11 years ago

  • Category set to Install Tool
  • Status changed from New to Accepted
  • Assignee set to Christian Kuhn
  • Target version set to 6.2.0
  • Complexity set to easy

We discussed this in the release team today and agreed that this should be the new default starting with 6.2.

Actions #9

Updated by Gerrit Code Review about 11 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/25122

Actions #10

Updated by Gerrit Code Review about 11 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/25122

Actions #11

Updated by Tomita Militaru about 11 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #12

Updated by Markus Klein almost 11 years ago

Missing documentation ticket!!!

Actions #13

Updated by Chris topher almost 11 years ago

See #24647 for the Security Guide.

Actions #14

Updated by Steffen Müller almost 11 years ago

See also in NEWS.txt #53291

Actions #15

Updated by Riccardo De Contardi about 7 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF