Text only | Text with Images

Simple Machines Community Forum

Customizing SMF => Modifications and Packages => Topic started by: Joshua Dickerson on October 15, 2009, 03:08:40 PM

Title: HTTP Only Cookies
Post by: Joshua Dickerson on October 15, 2009, 03:08:40 PM
Link to Mod (http://custom.simplemachines.org/mods/index.php?mod=2205)

Help prevent XSS.
Title: Re: HTTP Only Cookies
Post by: Smog on October 17, 2009, 06:10:30 AM
Txs for this useful modification, appreciated!  :)
Title: Re: HTTP Only Cookies
Post by: KensonPlays on December 28, 2009, 09:20:05 PM
Is this worth downloading?
Title: Re: HTTP Only Cookies
Post by: vika.vedy on March 02, 2010, 01:53:01 AM
yes, it worth downloading and installing.

but there are couple of bugs in it.

first:
it replaces forum cookies time to wrong:
Code Select

<search position="replace"><![CDATA[setcookie($cookiename, $data, time() + $cookie_length, $cookie_url[1], $cookie_url[0], !empty($modSettings['secureCookies']));]]></search>
<add><![CDATA[setcookie($cookiename, serialize(array(0, '', 0)), time() - 3600, $cookie_url[1], $cookie_url[0], !empty($modSettings['secureCookies']), true);]]></add>


I polite, replacement should be to
Code Select
set_cookie($cookiename, $data, time() + $cookie_length, $cookie_url[1], $cookie_url[0], !empty($modSettings['secureCookies']),true);

second small bug:
Code Select

<operation>
<search position="replace"><![CDATA[setcookie($cookiename, serialize(array(0, '', 0)), time() - 3600, $cookie_url[1], $cookie_url[0], !empty($modSettings['secureCookies']));]]></search>
<add><![CDATA[setcookie($cookiename, serialize(array(0, '', 0)), time() - 3600, $cookie_url[1], $cookie_url[0], !empty($modSettings['secureCookies']), true);]]></add>
</operation>


Replacement should be to
Code Select
set_cookie($cookiename, serialize(array(0, '', 0)), time() - 3600, $cookie_url[1], $cookie_url[0], !empty($modSettings['secureCookies']), true);
Title: Re: HTTP Only Cookies
Post by: Lou69 on May 30, 2010, 07:47:48 PM
groundup,

What is the advantage to installing this mod? Have the bugs fixes been added to the download package?

thanks,

Lou   :)

Title: Re: HTTP Only Cookies
Post by: Joshua Dickerson on May 31, 2010, 12:06:21 PM
The advantages are shown in the links in the first post. Not sure about the bugs.
Title: Re: HTTP Only Cookies
Post by: tfs on November 22, 2010, 10:20:13 PM
Because of the implications of the Firesheep plugin for Firefox, I'm changing one of my forums over to SSL.  Is this something I need to look at, or is it not needed when a forum is pure SSL?
Title: Re: HTTP Only Cookies
Post by: Joshua Dickerson on November 22, 2010, 10:28:57 PM
This would be in addition to a secure site.
Title: Re: HTTP Only Cookies
Post by: Robin1989 on February 16, 2011, 12:43:38 PM
will this be updated for RC5
Title: Re: HTTP Only Cookies
Post by: Joshua Dickerson on February 16, 2011, 01:17:28 PM
I haven't tested it on RC5 but I'm thinking it should work.
Title: Re: HTTP Only Cookies
Post by: nfpuu1u on May 18, 2013, 02:57:35 PM
Hi,

if someone stumbling over this:

Had a short discussion why this is not enabled by default here:

http://www.simplemachines.org/community/index.php?topic=503970.0

I had no time to test if this mod works with the final versions of SMF 2.0 but if someone is running PHP 5.2 or higher you don't need to use this mod and just can make the edits like described here:

http://www.simplemachines.org/community/index.php?topic=503970.msg3546502#msg3546502
Text only | Text with Images