Last modified: 2008-12-28 18:26:48 UTC
Kate's suggested looking at using HttpOnly cookies if possible as a mitigation against potential XSS attacks stealing credentials. This is an extension in IE 6.0 SP1 which can mark cookies so that they can't be retrieved from JavaScript code. In combination with shutting off the TRACE method in Apache, this could make it difficult/impossible for an XSS exploit to take the session or auth token cookies and send them to a third party. This may or may not be worthwhile; an attacker able to exploit it would already be able to do quite a bit of damage just by issuing more requests from that session. Other browsers _probably_ just ignore this HttpOnly attribute, but they might be affected negatively, so testing would also be required.
Looks like Mozilla's finally trying to integrate support for this as well: https://bugzilla.mozilla.org/show_bug.cgi?id=178993 PHP also has built-in support for sending cookies marked this way in 5.2.0 and later. Can be set via session.cookie_httponly setting and http://us2.php.net/manual/en/function.session-set-cookie-params.php for session cookie. Non-session cookies also see set_cookie().
I did some quick testing of client support for httpOnly cookies: Cookie accessible to server but not JavaScript: * IE/Win 7.0 (should work 6.0 SP1 and later) * Firefox 2.0.0.13 (introduced 2.0.0.5) * Firefox 3.0b5 * Konqueror 3.5.8 * Opera 9.50b * Opera Mini 4.0.10406 Cookie accessible to server and JavaScript: * IE/Mac 5.23 (Some vague reports that it causes general trouble, but I don't see a prob.) * Opera 9.27 * Safari 3.1 * MobileSafari (iPhone OS 1.1.4) This seems like pretty decent coverage these days... To use the regular setcookie() call we'll have to finish upgrading our PHP 5.1 boxes to PHP 5.2, though. Alternatively we could make a custom function that sends the header manually. Note that httpOnly cookies can be seen via XMLHttpRequest if you hit a request where they're actually _sent_. In most cases this is probably going to be reasonably safe for us, though. (PHP 5.1.2 sets session cookies over and over, but current versions don't.)
It seems Werdna added an option for this (on by default) in r33319. I'm assuming this covers all the intended usage discussed on this bug (I don't know what cookies we actually use). If not, feel free to reopen.
Applied to the session cookie as well as of r33459. This can't currently be deployed to Wikimedia until we upgrade the remaining PHP 5.1 boxes, or else rewrite some custom cookie code.
Just a note -- WebKit is adding support for HttpOnly cookies, which will increase the number of protected clients as it filters out to new versions of Safari etc. Yay! http://trac.webkit.org/changeset/38566
