Page MenuHomePhabricator

Use HttpOnly cookies for session and authentication
Closed, ResolvedPublic


Kate's suggested looking at using HttpOnly cookies if possible as a mitigation
against potential XSS attacks stealing credentials.

This is an extension in IE 6.0 SP1 which can mark cookies so that they can't
be retrieved from JavaScript code. In combination with shutting off the TRACE
method in Apache, this could make it difficult/impossible for an XSS exploit
to take the session or auth token cookies and send them to a third party.

This may or may not be worthwhile; an attacker able to exploit it would already
be able to do quite a bit of damage just by issuing more requests from that

Other browsers _probably_ just ignore this HttpOnly attribute, but they might
be affected negatively, so testing would also be required.

Version: 1.6.x
Severity: enhancement



Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:03 PM
bzimport set Reference to bz4731.
bzimport added a subscriber: Unknown Object (MLST).

Looks like Mozilla's finally trying to integrate support for this as well:

PHP also has built-in support for sending cookies marked this way in 5.2.0 and later.

Can be set via session.cookie_httponly setting and for session cookie. Non-session cookies also see set_cookie().

I did some quick testing of client support for httpOnly cookies:

Cookie accessible to server but not JavaScript:

  • IE/Win 7.0 (should work 6.0 SP1 and later)
  • Firefox (introduced
  • Firefox 3.0b5
  • Konqueror 3.5.8
  • Opera 9.50b
  • Opera Mini 4.0.10406

Cookie accessible to server and JavaScript:

  • IE/Mac 5.23 (Some vague reports that it causes general trouble, but I don't see a prob.)
  • Opera 9.27
  • Safari 3.1
  • MobileSafari (iPhone OS 1.1.4)

This seems like pretty decent coverage these days... To use the regular setcookie() call we'll have to finish upgrading our PHP 5.1 boxes to PHP 5.2, though. Alternatively we could make a custom function that sends the header manually.

Note that httpOnly cookies can be seen via XMLHttpRequest if you hit a request where they're actually _sent_. In most cases this is probably going to be reasonably safe for us, though. (PHP 5.1.2 sets session cookies over and over, but current versions don't.)

ayg wrote:

It seems Werdna added an option for this (on by default) in r33319. I'm assuming this covers all the intended usage discussed on this bug (I don't know what cookies we actually use). If not, feel free to reopen.

Applied to the session cookie as well as of r33459.

This can't currently be deployed to Wikimedia until we upgrade the remaining PHP 5.1 boxes, or else rewrite some custom cookie code.

Just a note -- WebKit is adding support for HttpOnly cookies, which will increase the number of protected clients as it filters out to new versions of Safari etc. Yay!