Feature #24647
closed
Enable cookieHttpOnly by default
Added by Helmut Hummel almost 14 years ago.
Updated about 7 years ago.
Description
Problem:
In case of an existing Cross Site Scripting vulnerability, it is possible to "steal" session cookies enabling the attacker to probably take over the user session.
Solution:
Enable cookieHttpOnly by default, which prevents JavaScript from accessing the session cookie. While this is not supported in older browsers, it works with all modern browsers and it does not cause any side effects (not to my knowlege).
(issue imported from #M17124)
Sorry, I disagree. We AFAIK need the cookie in the File Uploaders in BE and I think ExtDirect, too. Although I'd really like to see this activated, I think it's not possible.
Can't judge exactly for the FE.
Sad, but I can confirm that the flash uploader does not work with that setting. Probably flash needs to get the cookie by javascript to send it back.
pulpuload worked and I really don't know why extDirect should need it.
I have this active on several customer sites and did not have any problems (except the flash uploader, which I though was another bug), neither in the backend nor in the frontend (TYPO3 4.4.x)
But I agree this needs further investigation, so postponed for 4.6
Umm.. maybe because you used the HTML5 engine of plupload?
- Target version deleted (
4.6.0-beta1)
- File 24647.diff added
- TYPO3 Version changed from 4.5 to 4.7
Here's a patch for the flash upload functionality which makes it possible to set this option by default.
- File deleted (
24647.diff)
- Category set to Install Tool
- Status changed from New to Accepted
- Assignee set to Christian Kuhn
- Target version set to 6.2.0
- Complexity set to easy
We discussed this in the release team today and agreed that this should be the new default starting with 6.2.
- Status changed from Accepted to Under Review
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Missing documentation ticket!!!
See #24647 for the Security Guide.
- Status changed from Resolved to Closed
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by