Fork me on GitHub
Subscribe 2

Ticket #1123 (open enhancement)

Improve the creation of cookies

  • Created: 2018-08-28 19:01:12
  • Reported by: DarkZero
  • Assigned to: None
  • Milestone: 1.6
  • Component: security
  • Priority: high

All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers.

It would be interesting to review the cookie name: using a prefix.
https://tools.ietf.org/html/draft-west- … refixes-05

Have the possibility to configure the creation of cookies offering basic safety tips and best practices.
https://tools.ietf.org/html/rfc6265
https://tools.ietf.org/html/draft-west- … cookies-07

- All cookies must be set with the Secure flag, indicating that they should only be sent over HTTPS
- Cookies that don’t require access from JavaScript should be set with the HttpOnly flag
- Expiration: Cookies should expire as soon as is necessary. Session identifiers in particular should expire quickly (currently it's 365 days, 30 it would be better - for example).
- Domain: Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible
- Path: Cookies should be set to the most restrictive path possible, but for FluxBB this will be set to the root directory
- SameSite: Forbid sending the cookie via cross-origin requests (such as from <img> tags, etc.), as a strong anti-CSRF measure.

History

Visman 2018-08-29 12:39:35

>- All cookies must be set with the Secure flag, indicating that they should only be sent over HTTPS
"$cookie_secure = " in config.php

>- Cookies that don’t require access from JavaScript should be set with the HttpOnly flag
Currently, cookies are set with this flag.

>- Expiration: Cookies should expire as soon as is necessary. Session identifiers in particular should expire quickly (currently it's 365 days, 30 it would be better - for example).
Currently, ~1800 or 1209600 seconds (14 days)

>- Domain: Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible
"$cookie_domain = " in config.php

>- Path: Cookies should be set to the most restrictive path possible, but for FluxBB this will be set to the root directory
"$cookie_path = " in config.php

>- SameSite: Forbid sending the cookie via cross-origin requests (such as from <img> tags, etc.), as a strong anti-CSRF measure.
Not all browsers support. No native support in php.

DarkZero 2018-08-29 17:38:24

Hello, I know, it's possible in the config.php.
However it is not something that is realised by the administrators. Even on the official website (here), cookies are transmitted in an unsecured way, while there is HTTPS. Many sites under FLuxBB do not configure it. This is an observation.

Offer configuration in the administrator panel or make it by default if the conditions are right.

For SameSite, this feature is backwards compatible. Browsers not supporting this feature will simply use the cookie as a regular cookie. There is no need to deliver different cookies to clients. On the latest version of PHP 7.3 its working.

Sorry, mistake for the expiration.

Franz 2018-09-03 23:06:40

  • Milestone set to 1.6.

Thanks for the report.

As far as I can tell, only "secure" and "samesite" are relevant here.

For "secure", we'd need to change the default, which should be fine. For "samesite" support, we would need to use the header() function instead of setcookie(). This can be done, but great care needs to be taken in order to escape all values correctly.

P.S.: I've updated the setting on FluxBB.org.

DarkZero 2018-09-04 16:43:10

Nice!
Look forward to seeing this in 1.6