No HTTPOnly flag set for cookies (Hints on how to enable inside)

Started by Fisch.666, May 17, 2013, 05:45:25 AM

Previous topic - Next topic

Fisch.666

Hi,

are there any reasons why the HTTPOnly flag for cookies is not set as default in SMF?

Seems that there is a mod available for 2.0 RC2:

http://www.simplemachines.org/community/index.php?topic=342543.0

but in my opinion this should be set as a default in SMF if there are no reason against this.

Arantor

httponly was only added in PHP 5.2, which is still beyond what is officially supported in SMF... yes you can do it manually like that mod does but there are issues with doing so, like changing cookie standards (which setcookie() itself does handle)

SMF 2.0 officially supports before PHP 5.0 still. And realistically it's not the security help you think it is.

Fisch.666

#2
Hi,

thanks for your reply and all this informations.

Quote from: Arantor on May 17, 2013, 08:53:16 AM
SMF 2.0 officially supports before PHP 5.0 still.

Ok, don't want to start a discussion about this here. But that shouldn't be the reason why this is not added because the end of life of the PHP 5.2 tree was in 2010-12-16. Not talking about the 5.1 or earlier versions of PHP...

And it should be no problem to test which PHP version is running at the server like already done in Subs-Auth.php on Line 177 and only set HTTPOnly when running PHP 5.2 or later.

Quote from: Arantor on May 17, 2013, 08:53:16 AM
And realistically it's not the security help you think it is.

It is definitely a security help to prevent most of the XSS attacks to a client.

Fisch.666

Ok, just digging through the code and just testing my forums now with the HTTPOnly flag set to on at the cookies.

If someone want to enable the HTTPOnly flag for your cookies you just have to edit your Sources/Subs-Auth.php and find all:

setcookie()

calls (there are 5 of them in SMF 2.0.4) and replace:

, !empty($modSettings['secureCookies']));

with:

, !empty($modSettings['secureCookies']), true);

on each call. Now your session cookies are shipped with the HTTPOnly flag.

Arantor

QuoteOk, don't want to start a discussion about this here. But that shouldn't be the reason why this is not added because the end of life of the PHP 5.2 tree was in 2010-12-16. Not talking about the 5.1 or earlier versions of PHP...

Irrelevant. The fact PHP versions that far back are EOL is irrelevant. SMF still supports them. Hell, there's still PHP 4.2 and 4.3 compatibility code in SMF. As well as IE4 and IE5 compatibility code. (No, I'm not kidding.)

QuoteIt is definitely a security help to prevent most of the XSS attacks to a client.

BS. The session id is exposed elsewhere in the page too meaning that if you can get the page data, you can get the session id and generate your own cookie anyway. The cookie itself not being exposed to JS is no big deal to get around in the slightest.

But of course, you know best.

Fisch.666

Quote from: Arantor on May 18, 2013, 01:37:13 PM
Irrelevant. The fact PHP versions that far back are EOL is irrelevant. SMF still supports them. Hell, there's still PHP 4.2 and 4.3 compatibility code in SMF. As well as IE4 and IE5 compatibility code. (No, I'm not kidding.)

As stated above i don't what to start a discussion about this here.

Quote from: Arantor on May 18, 2013, 01:37:13 PM
But of course, you know best.

I don't know best but i'm trying to understand why such basic stuff is not set. As far as i was able to test there is no drawback when setting this flag at my forums. So i just don't understand why this is not set.

Arantor

And I told you why it is not set. SMF's cookie code is essentially unchanged in several years - from *before* PHP 5.1.

There is no drawback, sure, but there isn't really any real benefit either. It's just a thing that makes you feel more secure than you actually are.

Fisch.666

Ok i see, we're running in circles.

So personally i'm stay with the flag set because i can't see any drawbacks and marking this thread as solved.

Advertisement: