News:

Wondering if this will always be free?  See why free is better.

Main Menu

HTTP Only Cookies

Started by Joshua Dickerson, October 15, 2009, 03:08:40 PM

Previous topic - Next topic

Joshua Dickerson

Link to Mod

Help prevent XSS.
Come work with me at Promenade Group



Need help? See the wiki. Want to help SMF? See the wiki!

Did you know you can help develop SMF? See us on Github.

How have you bettered the world today?


KensonPlays


vika.vedy

yes, it worth downloading and installing.

but there are couple of bugs in it.

first:
it replaces forum cookies time to wrong:


<search position="replace"><![CDATA[setcookie($cookiename, $data, time() + $cookie_length, $cookie_url[1], $cookie_url[0], !empty($modSettings['secureCookies']));]]></search>
<add><![CDATA[setcookie($cookiename, serialize(array(0, '', 0)), time() - 3600, $cookie_url[1], $cookie_url[0], !empty($modSettings['secureCookies']), true);]]></add>


I polite, replacement should be to
set_cookie($cookiename, $data, time() + $cookie_length, $cookie_url[1], $cookie_url[0], !empty($modSettings['secureCookies']),true);

second small bug:

<operation>
<search position="replace"><![CDATA[setcookie($cookiename, serialize(array(0, '', 0)), time() - 3600, $cookie_url[1], $cookie_url[0], !empty($modSettings['secureCookies']));]]></search>
<add><![CDATA[setcookie($cookiename, serialize(array(0, '', 0)), time() - 3600, $cookie_url[1], $cookie_url[0], !empty($modSettings['secureCookies']), true);]]></add>
</operation>



Replacement should be to
set_cookie($cookiename, serialize(array(0, '', 0)), time() - 3600, $cookie_url[1], $cookie_url[0], !empty($modSettings['secureCookies']), true);

Lou69

groundup,

What is the advantage to installing this mod? Have the bugs fixes been added to the download package?

thanks,

Lou   :)


Joshua Dickerson

The advantages are shown in the links in the first post. Not sure about the bugs.
Come work with me at Promenade Group



Need help? See the wiki. Want to help SMF? See the wiki!

Did you know you can help develop SMF? See us on Github.

How have you bettered the world today?

tfs

Because of the implications of the Firesheep plugin for Firefox, I'm changing one of my forums over to SSL.  Is this something I need to look at, or is it not needed when a forum is pure SSL?
A good tree cannot bring forth evil fruit, neither can an evil tree bring forth good fruit.

Joshua Dickerson

This would be in addition to a secure site.
Come work with me at Promenade Group



Need help? See the wiki. Want to help SMF? See the wiki!

Did you know you can help develop SMF? See us on Github.

How have you bettered the world today?

Robin1989

will this be updated for RC5

Joshua Dickerson

I haven't tested it on RC5 but I'm thinking it should work.
Come work with me at Promenade Group



Need help? See the wiki. Want to help SMF? See the wiki!

Did you know you can help develop SMF? See us on Github.

How have you bettered the world today?

Fisch.666

Hi,

if someone stumbling over this:

Had a short discussion why this is not enabled by default here:

http://www.simplemachines.org/community/index.php?topic=503970.0

I had no time to test if this mod works with the final versions of SMF 2.0 but if someone is running PHP 5.2 or higher you don't need to use this mod and just can make the edits like described here:

http://www.simplemachines.org/community/index.php?topic=503970.msg3546502#msg3546502

Advertisement: