Feature #24647: Enable cookieHttpOnly by default - TYPO3 Core - TYPO3 Forge

Custom queries

12 LTS
Accessibility
Dashboard issues
Easy tasks
Extbase Issues
FAL Issues
FAL Sprint 2023
Hierarchical Issues
Issues reported for v11
JavaScript issues
JavaScript Issues (w/o Epics/Stories)
Most wanted Bugfixes
Most wanted Features
My open issues
New & Unassigned
No feedback within 90 days
Open Bugs
Open issues of 10
Page Tree Regressions after 2020-07-28
Recently modified
Regressions
Stabilization Issues

Watchers (2)

Ingo Schmitt
Steffen Müller

Actions

Copy link

Feature #24647

closed

Enable cookieHttpOnly by default

Added by Helmut Hummel about 13 years ago. Updated over 6 years ago.

Status:

Closed

Priority:

Should have

Assignee:

Christian Kuhn

Category:

Install Tool

Target version:

6.2.0

Start date:

2011-01-18

Due date:

% Done:

100%

Estimated time:

PHP Version:

Tags:

Complexity:

easy

Sprint Focus:

Description

Problem:
In case of an existing Cross Site Scripting vulnerability, it is possible to "steal" session cookies enabling the attacker to probably take over the user session.

Solution:
Enable cookieHttpOnly by default, which prevents JavaScript from accessing the session cookie. While this is not supported in older browsers, it works with all modern browsers and it does not cause any side effects (not to my knowlege).

(issue imported from #M17124)

Related issues 2 (0 open — 2 closed)

Related to TYPO3 Core - Bug #23521: Flash Uploader does not work if cookieHttpOnly is enabled

Rejected

Steffen Gebert

2010-09-09

Actions

Related to TYPO3 Core - Task #53291: Mention new default value for HttpOnly-cookie in NEWS.txt

Closed

2013-11-03

Actions

Issue # Delay: days Cancel

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Steffen Gebert about 13 years ago

Sorry, I disagree. We AFAIK need the cookie in the File Uploaders in BE and I think ExtDirect, too. Although I'd really like to see this activated, I think it's not possible.

Can't judge exactly for the FE.

Actions

Copy link

Updated by Helmut Hummel about 13 years ago

Sad, but I can confirm that the flash uploader does not work with that setting. Probably flash needs to get the cookie by javascript to send it back.

pulpuload worked and I really don't know why extDirect should need it.

I have this active on several customer sites and did not have any problems (except the flash uploader, which I though was another bug), neither in the backend nor in the frontend (TYPO3 4.4.x)

But I agree this needs further investigation, so postponed for 4.6

Actions

Copy link