Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:125536
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 81A071A00BD
	for <internals@lists.php.net>; Fri, 13 Sep 2024 17:49:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1726249914; bh=t27cTUnh7p6O/PL29B7WJ0za3wCR0aFX0kLUj+iRSno=;
	h=From:Subject:Date:In-Reply-To:Cc:To:References:From;
	b=Xtwqbxvb6gfggszEjRx6XTF7Vw9sGrBaKQNwHmTS0Fu6seB90E+Wbx51x6Nj8+QiX
	 NK6Thsg/5fMa9HMWUN0jBo3QBl8XU5MTLauHGlRgea6rU9JABS/pAvy5uCjzDT2fU0
	 mJa5zXU0FdEewMFVZpM6tmpJzh4+qsha9I6fej09rSuytFflyMZ/tbmMeKEKPfwV9s
	 AzyCJU4Rxnkq+bCZJOufEmMX2AkilTOwIwfR5525vfD1QyY6rmBSUxCYM2w45gTRUe
	 ozAtugWHv00YltcYYGyHL/HH19eDBsYHL+ZluHKBg/DQgxf9MYFxIW94mR3ZJM0OpL
	 o2IGaiYhU3F7Q==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 84B91180072
	for <internals@lists.php.net>; Fri, 13 Sep 2024 17:51:53 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <claude.pache@gmail.com>
Received: from mail-lf1-f43.google.com (mail-lf1-f43.google.com [209.85.167.43])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 13 Sep 2024 17:51:53 +0000 (UTC)
Received: by mail-lf1-f43.google.com with SMTP id 2adb3069b0e04-5356bb5522bso1667999e87.1
        for <internals@lists.php.net>; Fri, 13 Sep 2024 10:49:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1726249789; x=1726854589; darn=lists.php.net;
        h=references:to:cc:in-reply-to:date:subject:mime-version:message-id
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=D4Hu+sJnEnzv8cGjYfAjzPYvHJ8tRJJc+doErO7M6KM=;
        b=UI6wjkB7dbs5y2lUzjk7OBJcgqNj/+MIkHuorx/6ylLT1jt2iE3kYFqZikmpF6ajZs
         Hwmz5Jv7q2+xRoxLenEfg0zTCU9xwPmAW/dJtQOH6blvCAU7ZlY247IsFZgMxzZBnnJD
         S8gfHYAWeDtVyeenZ+XjnA1bB580AsLMSdk9Bes/0m74M1sIaYOTyJzKj/1K0vvgddJt
         ausDAj1mzdo0Z4OUlyGDKxF+hmcLM8yxxhIFlEbqzeg29o5xpI5LkaljX0eGN/V0VlQz
         uPyX5Td67sm/XvgCkpQtWqNpdzuQ/DxlAa1e25AEI3AHzJz2yxw0rC+AMkNnAvgTYCEx
         +wRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1726249789; x=1726854589;
        h=references:to:cc:in-reply-to:date:subject:mime-version:message-id
         :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=D4Hu+sJnEnzv8cGjYfAjzPYvHJ8tRJJc+doErO7M6KM=;
        b=Vls5Tajf+F4pVgrxuXx7UUdeDcIScYBxLZULp94rK3TeEVl8Pb4JGIcunIM11JPSvX
         JyQcENRphwGaIh/vnvuFddumvGxk9X6Ix5NESGXKZMn1MR41NTSCOhXVmCO+lzTiMfdT
         n632fDjlDlMLKF150TehchR7LcNPscy5GxnS8TGwUoaw92LSDUk7mgtr9FVh0unOi0F8
         pTpccM+JYLIAIlaYuQJqPAVeRNyVJDqm21zDbo1wSi0Pfyu88VG4SH7wNOS1GmVAqpAN
         MxkLQDo6LR4eLtuB8+xysPz1/eYyTOmsb2cIOYgGa/NRQK0lA47YTq7NW1EcCRslGIuA
         O9eA==
X-Gm-Message-State: AOJu0YwV/Xi4utM/kXxf4098RQOE2YSD50NiNErDEw4HPEFYra1j2e3g
	pbb1HsH2swmy7LS+2Uxlflv1kH9A1JkDwNYzMYp45uaGF0HHTSHI
X-Google-Smtp-Source: AGHT+IEQZ4tlLJZtBbAeYHLIoG42j3YBo4v1roy8PfDm5IBco6EaYgymWMjcU44CrStbnbxlkHjrtw==
X-Received: by 2002:a05:6512:12c1:b0:536:55f7:75d6 with SMTP id 2adb3069b0e04-5367ff24bbbmr2584894e87.37.1726249787941;
        Fri, 13 Sep 2024 10:49:47 -0700 (PDT)
Received: from smtpclient.apple ([89.249.45.14])
        by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5c42278c93esm753968a12.45.2024.09.13.10.49.45
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 13 Sep 2024 10:49:46 -0700 (PDT)
Message-ID: <EF9DB536-1DEA-430C-AC3B-710EF0C6A6C9@gmail.com>
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_917215C0-9A99-4C46-A672-00E4A6DB54F7"
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51\))
Subject: Re: [PHP-DEV] [GitHub #7913] Vulnerability due to insecure default
 values for session.cookie_secure and session.cookie_httponly
Date: Fri, 13 Sep 2024 19:49:34 +0200
In-Reply-To: <64a80dtdj.EU2uYf@akayo.eu>
Cc: internals@lists.php.net
To: etkaar+0cvptjjwq0@akayo.eu
References: <64a80dtdj.EU2uYf@akayo.eu>
X-Mailer: Apple Mail (2.3776.700.51)
From: claude.pache@gmail.com (Claude Pache)


--Apple-Mail=_917215C0-9A99-4C46-A672-00E4A6DB54F7
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8


> Le 13 sept. 2024 =C3=A0 16:13, etkaar <etkaar@akayo.eu> a =C3=A9crit :
>=20
> Hi!
>=20
> I've created this issue in January 2022 but it seems it wasn't noticed =
yet (since you probably do watch the mailing lists more than GitHub):
> https://github.com/php/php-src/issues/7913
>=20
> Kind Regards,
> etkaar

Hi,

* Defaulting `session.cookie_httponly` to `true` seems very reasonable.

* Beware that if you set  `session.cookie_secure` to `true`, you will =
break websites that are not served across https. Moreover, the reason of =
the breakage may not be evident.

* You forgot another obvious setting: `session.cookie_samesite` must be =
"Lax" by default.

* We should also consider setting `session.use_strict_mode` to `true`, =
in order to mitigate session fixation attacks.

=E2=80=94Claude


--Apple-Mail=_917215C0-9A99-4C46-A672-00E4A6DB54F7
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"overflow-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: =
after-white-space;"><div><div><br><blockquote type=3D"cite"><div>Le 13 =
sept. 2024 =C3=A0 16:13, etkaar &lt;etkaar@akayo.eu&gt; a =C3=A9crit =
:</div><br class=3D"Apple-interchange-newline"><div><div =
class=3D"Singleton" style=3D"font-family: Arial; margin: 0px; =
line-height: 1.2rem; color: rgb(31, 73, 125); font-size: 14px;"><pre =
style=3D"text-wrap: wrap; color: rgb(23, 56, 96);">Hi!

I've created this issue in January 2022 but it seems it wasn't noticed =
yet (since you probably do watch the mailing lists more than GitHub):
<a =
href=3D"https://github.com/php/php-src/issues/7913">https://github.com/php=
/php-src/issues/7913</a>

Kind Regards,
=
etkaar</pre></div></div></blockquote></div><br></div><div>Hi,<div><br></di=
v><div><div>* Defaulting `session.cookie_httponly` to `true` seems very =
reasonable.</div><div><br></div><div>* Beware that if you set =
&nbsp;`session.cookie_secure` to `true`, you will break websites that =
are not served across https. Moreover, the reason of the breakage may =
not be evident.</div><div><br></div><div>* You forgot another obvious =
setting: `session.cookie_samesite` must be "Lax" by =
default.</div><div><br></div><div>* We should also consider setting =
`session.use_strict_mode` to `true`, in order to mitigate session =
fixation =
attacks.</div><div><br></div><div>=E2=80=94Claude</div><div><br></div></di=
v></div></body></html>=

--Apple-Mail=_917215C0-9A99-4C46-A672-00E4A6DB54F7--