Feature #90351

Allow TYPO3 to make SameSite cookies configurable

Added by Benni Mack 14 days ago. Updated 7 days ago.

Status:
Resolved
Priority:
Must have
Assignee:
Category:
Security
Start date:
2020-02-11
Due date:
% Done:

100%

PHP Version:
Tags:
Complexity:
Sprint Focus:


Related issues

Related to TYPO3 Core - Task #90380: Streamline SameSite cookie handling Resolved 2020-02-15

Associated revisions

Revision de29dc2d (diff)
Added by Benni Mack 12 days ago

[FEATURE] Implement SameSite option for TYPO3 cookies

This change introduces a new security option for setting the SameSite
option to all cookies sent by TYPO3 Core.

Namely:
- Frontend User Sessions ("lax" by default)
- Backend User Sessions ("strict" by default)
- Install Tool Sessions ("strict", none-configurable)
- Last Login Provider in Backend ("strict", non-configurable)

This means that these can only be accessed by scripts and requests
by the same site, and not by any third-party scripts.

Since we're talking about actual cookies for a user, and not
ads-related or third-party login-dependant cookies, the default
options fit just perfectly.

All modern browsers except Internet Explorer respect this option
to be set. Please note that Firefox and Chrome will have "SameSite=lax"
set in Q1/2020 by default if NO SameSite option is set at all. This change
allows to configure this.

Backend and Frontend User Cookies can be configured to "strict", "lax"
or "none" (= same as before), whereas "none" only works for secure
connections (= HTTPS).

If "strict" is in place, security via CSRF is not needed anymore, and can
be dropped in the future.

Resolves: #90351
Releases: master, 9.5, 8.7
Change-Id: I8095e2a552faa9d1fd4fa7855297302a9ec6a75f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63183
Tested-by: Anja Leichsenring <>
Tested-by: TYPO3com <>
Tested-by: Georg Ringer <>
Reviewed-by: Anja Leichsenring <>
Reviewed-by: Georg Ringer <>

Revision 2f415eae (diff)
Added by Benni Mack 8 days ago

[FEATURE] Implement SameSite option for TYPO3 cookies

This change introduces a new security option for setting the SameSite
option to all cookies sent by TYPO3 Core.

Namely:
- Frontend User Sessions ("lax" by default)
- Backend User Sessions ("strict" by default)
- Install Tool Sessions ("strict", none-configurable)
- Last Login Provider in Backend ("strict", non-configurable)
- ext:rsaauth via native session handling (“strict”, non-configurable)
- workspace preview "ADMCMD_prev" using backend user setting
("strict" by default)

This means that these can only be accessed by scripts and requests
by the same site, and not by any third-party scripts.

Since we're talking about actual cookies for a user, and not
ads-related or third-party login-dependant cookies, the default
options fit just perfectly.

All modern browsers except Internet Explorer respect this option
to be set. Please note that Firefox and Chrome will have "SameSite=lax"
set in Q1/2020 by default if NO SameSite option is set at all. This change
allows to configure this.

Backend and Frontend User Cookies can be configured to "strict", "lax"
or "none" (= same as before), whereas "none" only works for secure
connections (= HTTPS).

If "strict" is in place, security via CSRF is not needed anymore, and can
be dropped in the future.

Resolves: #90351
Releases: master, 9.5, 8.7
Change-Id: I8095e2a552faa9d1fd4fa7855297302a9ec6a75f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63214
Tested-by: TYPO3com <>
Tested-by: Susanne Moog <>
Tested-by: Georg Ringer <>
Reviewed-by: Susanne Moog <>
Reviewed-by: Georg Ringer <>

Revision fb0b2624 (diff)
Added by Oliver Hader 8 days ago

[TASK] Streamline SameSite cookie handling

Patch for issue #90351 in master branch was merged fast.
Some aspects were missing which are streamlined with this change.

- workspace preview "ADMCMD_prev" using backend user setting
("strict" by default)

Resolves: #90380
Releases: master
Change-Id: I8d244db64a438d7537310787934a49abe3ebf28d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63256
Tested-by: TYPO3com <>
Tested-by: Oliver Hader <>
Reviewed-by: Oliver Hader <>

Revision 0d5ae4eb (diff)
Added by Benni Mack 7 days ago

[FEATURE] Implement SameSite option for TYPO3 cookies

This change introduces a new security option for setting the SameSite
option to all cookies sent by TYPO3 Core.

Namely:
- Frontend User Sessions ("lax" by default)
- Backend User Sessions ("strict" by default)
- Install Tool Sessions ("strict", none-configurable)
- Last Login Provider in Backend ("strict", non-configurable)
- ext:rsaauth via native session handling (“strict”, non-configurable)
- workspace preview "ADMCMD_prev" using backend user setting
("strict" by default)

This means that these can only be accessed by scripts and requests
by the same site, and not by any third-party scripts.

Since we're talking about actual cookies for a user, and not
ads-related or third-party login-dependant cookies, the default
options fit just perfectly.

All modern browsers except Internet Explorer respect this option
to be set. Please note that Firefox and Chrome will have "SameSite=lax"
set in Q1/2020 by default if NO SameSite option is set at all. This change
allows to configure this.

Backend and Frontend User Cookies can be configured to "strict", "lax"
or "none" (= same as before), whereas "none" only works for secure
connections (= HTTPS).

If "strict" is in place, security via CSRF is not needed anymore, and can
be dropped in the future.

Resolves: #90351
Releases: master, 9.5, 8.7
Change-Id: I8095e2a552faa9d1fd4fa7855297302a9ec6a75f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63215
Tested-by: TYPO3com <>
Tested-by: Susanne Moog <>
Tested-by: Georg Ringer <>
Tested-by: Richard Haeser <>
Reviewed-by: Susanne Moog <>
Reviewed-by: Georg Ringer <>
Reviewed-by: Richard Haeser <>

History

#1 Updated by Gerrit Code Review 14 days ago

  • Status changed from New to Under Review

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63183

#2 Updated by Gerrit Code Review 12 days ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63183

#3 Updated by Gerrit Code Review 12 days ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63183

#4 Updated by Gerrit Code Review 12 days ago

Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63183

#5 Updated by Gerrit Code Review 12 days ago

Patch set 8 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63183

#6 Updated by Gerrit Code Review 12 days ago

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63214

#7 Updated by Gerrit Code Review 12 days ago

Patch set 2 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63214

#8 Updated by Gerrit Code Review 12 days ago

Patch set 3 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63214

#9 Updated by Gerrit Code Review 12 days ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63215

#10 Updated by Benni Mack 12 days ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#11 Updated by Gerrit Code Review 12 days ago

  • Status changed from Resolved to Under Review

Patch set 2 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63215

#12 Updated by Gerrit Code Review 12 days ago

Patch set 4 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63214

#13 Updated by Oliver Hader 10 days ago

  • Related to Task #90380: Streamline SameSite cookie handling added

#14 Updated by Gerrit Code Review 10 days ago

Patch set 5 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63214

#15 Updated by Gerrit Code Review 10 days ago

Patch set 3 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63215

#16 Updated by Gerrit Code Review 9 days ago

Patch set 6 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63214

#17 Updated by Benni Mack 8 days ago

  • Status changed from Under Review to Resolved

#18 Updated by Gerrit Code Review 8 days ago

  • Status changed from Resolved to Under Review

Patch set 4 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63215

#19 Updated by Gerrit Code Review 8 days ago

Patch set 5 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63215

#20 Updated by Benni Mack 7 days ago

  • Status changed from Under Review to Resolved

Also available in: Atom PDF