Page MenuHomePhabricator

Audit use of cookies #2
Open, Needs TriagePublic

Description

On en.wikipedia.org:

  • enwikimwuser-sessionId
    • lacks the Secure flag
  • enwikiwmE-sessionTickLastTickTime
    • lacks the Secure flag
  • enwikiwmE-sessionTickTickCount
    • lacks the Secure flag
  • GeoIP
  • It's not that many cookies that are set for users without an account. Therefore I think these should all be documented.

I am operating under the assumption that there's no reason not to set the Secure flag on any cookies nowadays that there is https everywhere. And if it's a set goal that cookies should be hardened (harder to steal, leak) and worthwhile to set the Secure on the login cookie, then why not consistently set the cookie flags for all cookies.

(There are reasons to omit the HttpOnly flag - for those cookies set by JavaScript. All cookies that I've seen that are set for noscript users have the HttpOnly flag already.)

I would guess there are at least two code paths. The code path for setting the login cookie which contains the Secure flag and a different code path for other cookies. Perhaps that should be unified?

Also it seems like extensions can set their own cookies but they're not using a MediaWiki's core API for that. Maybe MediaWiki's extensions should be encouraged to use (a maybe yet to be invented) API to set cookies and MediaWiki's core should add a warning encouraging extensions to use that API?

Similar to T110353.

related: