Page MenuHomePhabricator
Create Task
Maniphest T6731

Use HttpOnly cookies for session and authentication
Closed, ResolvedPublic
Actions

Description

Kate's suggested looking at using HttpOnly cookies if possible as a mitigation
against potential XSS attacks stealing credentials.

This is an extension in IE 6.0 SP1 which can mark cookies so that they can't
be retrieved from JavaScript code. In combination with shutting off the TRACE
method in Apache, this could make it difficult/impossible for an XSS exploit
to take the session or auth token cookies and send them to a third party.

This may or may not be worthwhile; an attacker able to exploit it would already
be able to do quite a bit of damage just by issuing more requests from that
session.

Other browsers _probably_ just ignore this HttpOnly attribute, but they might
be affected negatively, so testing would also be required.

Version: 1.6.x
Severity: enhancement
URL: http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp

Details

Reference
bz4731

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:03 PM
bzimport added a project: MediaWiki-User-login-and-signup.
bzimport set Reference to bz4731.
bzimport added a subscriber: Unknown Object (MLST).
brooke created this task.Jan 23 2006, 3:50 AM
brooke added a comment.Jun 22 2007, 6:00 PM

Looks like Mozilla's finally trying to integrate support for this as well: https://bugzilla.mozilla.org/show_bug.cgi?id=178993

PHP also has built-in support for sending cookies marked this way in 5.2.0 and later.

Can be set via session.cookie_httponly setting and http://us2.php.net/manual/en/function.session-set-cookie-params.php for session cookie. Non-session cookies also see set_cookie().

brooke added a comment.Apr 14 2008, 10:34 PM

I did some quick testing of client support for httpOnly cookies:

Cookie accessible to server but not JavaScript:

  • IE/Win 7.0 (should work 6.0 SP1 and later)
  • Firefox 2.0.0.13 (introduced 2.0.0.5)
  • Firefox 3.0b5
  • Konqueror 3.5.8
  • Opera 9.50b
  • Opera Mini 4.0.10406

Cookie accessible to server and JavaScript:

  • IE/Mac 5.23 (Some vague reports that it causes general trouble, but I don't see a prob.)
  • Opera 9.27
  • Safari 3.1
  • MobileSafari (iPhone OS 1.1.4)

This seems like pretty decent coverage these days... To use the regular setcookie() call we'll have to finish upgrading our PHP 5.1 boxes to PHP 5.2, though. Alternatively we could make a custom function that sends the header manually.

Note that httpOnly cookies can be seen via XMLHttpRequest if you hit a request where they're actually _sent_. In most cases this is probably going to be reasonably safe for us, though. (PHP 5.1.2 sets session cookies over and over, but current versions don't.)

bzimport added a comment.Apr 15 2008, 2:07 PM

ayg wrote:

It seems Werdna added an option for this (on by default) in r33319. I'm assuming this covers all the intended usage discussed on this bug (I don't know what cookies we actually use). If not, feel free to reopen.

brooke added a comment.Apr 16 2008, 11:08 PM

Applied to the session cookie as well as of r33459.

This can't currently be deployed to Wikimedia until we upgrade the remaining PHP 5.1 boxes, or else rewrite some custom cookie code.

brooke added a comment.Dec 28 2008, 6:26 PM

Just a note -- WebKit is adding support for HttpOnly cookies, which will increase the number of protected clients as it filters out to new versions of Safari etc. Yay!

http://trac.webkit.org/changeset/38566

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits