Last modified: 2008-12-28 18:26:48 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T6731, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 4731 - Use HttpOnly cookies for session and authentication
Use HttpOnly cookies for session and authentication
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
All All
: Normal enhancement (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
  Show dependency treegraph
Reported: 2006-01-23 03:50 UTC by Brion Vibber
Modified: 2008-12-28 18:26 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Brion Vibber 2006-01-23 03:50:22 UTC
Kate's suggested looking at using HttpOnly cookies if possible as a mitigation
against potential XSS attacks stealing credentials.

This is an extension in IE 6.0 SP1 which can mark cookies so that they can't
be retrieved from JavaScript code. In combination with shutting off the TRACE
method in Apache, this could make it difficult/impossible for an XSS exploit
to take the session or auth token cookies and send them to a third party.

This may or may not be worthwhile; an attacker able to exploit it would already
be able to do quite a bit of damage just by issuing more requests from that

Other browsers _probably_ just ignore this HttpOnly attribute, but they might
be affected negatively, so testing would also be required.
Comment 1 Brion Vibber 2007-06-22 18:00:17 UTC
Looks like Mozilla's finally trying to integrate support for this as well:

PHP also has built-in support for sending cookies marked this way in 5.2.0 and later.

Can be set via session.cookie_httponly setting and for session cookie. Non-session cookies also see set_cookie().
Comment 2 Brion Vibber 2008-04-14 22:34:48 UTC
I did some quick testing of client support for httpOnly cookies:

Cookie accessible to server but not JavaScript:
* IE/Win 7.0 (should work 6.0 SP1 and later)
* Firefox (introduced
* Firefox 3.0b5
* Konqueror 3.5.8
* Opera 9.50b
* Opera Mini 4.0.10406

Cookie accessible to server and JavaScript:
* IE/Mac 5.23 (Some vague reports that it causes general trouble, but I don't see a prob.)
* Opera 9.27
* Safari 3.1
* MobileSafari (iPhone OS 1.1.4)

This seems like pretty decent coverage these days... To use the regular setcookie() call we'll have to finish upgrading our PHP 5.1 boxes to PHP 5.2, though. Alternatively we could make a custom function that sends the header manually.

Note that httpOnly cookies can be seen via XMLHttpRequest if you hit a request where they're actually _sent_. In most cases this is probably going to be reasonably safe for us, though. (PHP 5.1.2 sets session cookies over and over, but current versions don't.)
Comment 3 Aryeh Gregor (not reading bugmail, please e-mail directly) 2008-04-15 14:07:50 UTC
It seems Werdna added an option for this (on by default) in r33319.  I'm assuming this covers all the intended usage discussed on this bug (I don't know what cookies we actually use).  If not, feel free to reopen.
Comment 4 Brion Vibber 2008-04-16 23:08:18 UTC
Applied to the session cookie as well as of r33459.

This can't currently be deployed to Wikimedia until we upgrade the remaining PHP 5.1 boxes, or else rewrite some custom cookie code.
Comment 5 Brion Vibber 2008-12-28 18:26:48 UTC
Just a note -- WebKit is adding support for HttpOnly cookies, which will increase the number of protected clients as it filters out to new versions of Safari etc. Yay!

Note You need to log in before you can comment on or make changes to this bug.