Last modified: 2008-12-28 18:26:48 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 4731 - Use HttpOnly cookies for session and authentication
Use HttpOnly cookies for session and authentication
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
1.6.x
All All
: Normal enhancement (vote)
: ---
Assigned To: Nobody - You can work on this!
http://msdn.microsoft.com/workshop/au...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-01-23 03:50 UTC by Brion Vibber
Modified: 2008-12-28 18:26 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Brion Vibber 2006-01-23 03:50:22 UTC
Kate's suggested looking at using HttpOnly cookies if possible as a mitigation
against potential XSS attacks stealing credentials.

This is an extension in IE 6.0 SP1 which can mark cookies so that they can't
be retrieved from JavaScript code. In combination with shutting off the TRACE
method in Apache, this could make it difficult/impossible for an XSS exploit
to take the session or auth token cookies and send them to a third party.

This may or may not be worthwhile; an attacker able to exploit it would already
be able to do quite a bit of damage just by issuing more requests from that
session.

Other browsers _probably_ just ignore this HttpOnly attribute, but they might
be affected negatively, so testing would also be required.
Comment 1 Brion Vibber 2007-06-22 18:00:17 UTC
Looks like Mozilla's finally trying to integrate support for this as well: https://bugzilla.mozilla.org/show_bug.cgi?id=178993

PHP also has built-in support for sending cookies marked this way in 5.2.0 and later.

Can be set via session.cookie_httponly setting and http://us2.php.net/manual/en/function.session-set-cookie-params.php for session cookie. Non-session cookies also see set_cookie().
Comment 2 Brion Vibber 2008-04-14 22:34:48 UTC
I did some quick testing of client support for httpOnly cookies:

Cookie accessible to server but not JavaScript:
* IE/Win 7.0 (should work 6.0 SP1 and later)
* Firefox 2.0.0.13 (introduced 2.0.0.5)
* Firefox 3.0b5
* Konqueror 3.5.8
* Opera 9.50b
* Opera Mini 4.0.10406

Cookie accessible to server and JavaScript:
* IE/Mac 5.23 (Some vague reports that it causes general trouble, but I don't see a prob.)
* Opera 9.27
* Safari 3.1
* MobileSafari (iPhone OS 1.1.4)

This seems like pretty decent coverage these days... To use the regular setcookie() call we'll have to finish upgrading our PHP 5.1 boxes to PHP 5.2, though. Alternatively we could make a custom function that sends the header manually.

Note that httpOnly cookies can be seen via XMLHttpRequest if you hit a request where they're actually _sent_. In most cases this is probably going to be reasonably safe for us, though. (PHP 5.1.2 sets session cookies over and over, but current versions don't.)
Comment 3 Aryeh Gregor (not reading bugmail, please e-mail directly) 2008-04-15 14:07:50 UTC
It seems Werdna added an option for this (on by default) in r33319.  I'm assuming this covers all the intended usage discussed on this bug (I don't know what cookies we actually use).  If not, feel free to reopen.
Comment 4 Brion Vibber 2008-04-16 23:08:18 UTC
Applied to the session cookie as well as of r33459.

This can't currently be deployed to Wikimedia until we upgrade the remaining PHP 5.1 boxes, or else rewrite some custom cookie code.
Comment 5 Brion Vibber 2008-12-28 18:26:48 UTC
Just a note -- WebKit is adding support for HttpOnly cookies, which will increase the number of protected clients as it filters out to new versions of Safari etc. Yay!

http://trac.webkit.org/changeset/38566

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links