Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:125541 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 1AB791A00BD for ; Fri, 13 Sep 2024 19:54:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1726257419; bh=Pp8afer2unkpDYJvYjJ6+98WMvBfya+xIWeaw6ASZOk=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=hJGVfpR/X3sySYZgCCaW9rxwAetdTKCcdr5KKet1d4US6Bz1x5jJNX+oybG1FNE1K uozLnBbMrUQj2gWXFWonDGU2K72bRze1BMbKHDw1Qetsrvs/9PgIPzmR3Qlv+jGSoJ URUkdPSnIJQcdmXmNGsZHhd08d1YGu8UDwGxzBk/tMWjR274kVk+WWtnlC5zyaVWcM b1V7sD0gqcW8rzhT91HDviOGEMxcwpqNfVxnMpMwiZEvLpPz+J/G+Awa8bgLZAt8do uT0H2ES4DV4eDiITaZJIMaD5wVxspr5SbzZjxcrMXl2HBRqJtSgXilLOdHNQQg0/ET q8hXzjdfGXm+Q== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 3B39418007E for ; Fri, 13 Sep 2024 19:56:59 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: * X-Spam-Status: No, score=1.0 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_50, DKIM_INVALID,DKIM_SIGNED,DMARC_MISSING,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from sender4-of-o54.zoho.com (sender4-of-o54.zoho.com [136.143.188.54]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 13 Sep 2024 19:56:59 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; t=1726257291; cv=none; d=zohomail.com; s=zohoarc; b=NHM5GNfLF6M6Ja0vTNxopox/HYY+EBtKMZTSFVSsJV4mx6rwdXBzazJbRe43psGCcPKxbNDY8e5o2+Fpc6hZtDkztG6Kd7arlCXSgXo+kPi+6Q4J98WIRkITQk4oJ+6P9SWAHsVsS3+lFWbn2Vsokj2JmNNuDAHVvSj6wQSbgmc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1726257291; h=Content-Type:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=SqyJ9KkhvxaipTw8h2bjAP+/blsG0qfUHLBUAbZyDqs=; b=k18xE129QfcUY0ACywzFLnANYDzjU0OFBrN9YF2ZztJHHkyel/O/1icN4+8YkmhR9VnajYZDLkYM4OROwDYkOgYEPxZZOmkcT98sIE4FS1xIhmEIt8+mqWhUbeJ2CJPIUCv0OiWGllZDSd9zTwpIQp/Dkd4cBNM/YH+i63q9yJY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=faizanakram.me; spf=pass smtp.mailfrom=hello@faizanakram.me; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1726257291; s=zoho; d=faizanakram.me; i=hello@faizanakram.me; h=MIME-Version:References:In-Reply-To:From:From:Date:Date:Message-ID:Subject:Subject:To:To:Cc:Cc:Content-Type:Message-Id:Reply-To; bh=SqyJ9KkhvxaipTw8h2bjAP+/blsG0qfUHLBUAbZyDqs=; b=RakEJqHKLTzvnCIozdmrIqkh+FS4qLNfpPXvcstJTWmLdOWww+3IXbGhkovL0Xbg +R7kBWHdii5bYpBGAP0slaDQiP+ItUizhBDNDguqrrxD1/Iw9a3p04g/3Wb1hTuFcWj kTbgMHowPJvJAjTykjjIWxeGJsbPu6nmZf5tWJw0= Received: by mx.zohomail.com with SMTPS id 1726257287921317.9376021417871; Fri, 13 Sep 2024 12:54:47 -0700 (PDT) Received: by mail-yb1-f171.google.com with SMTP id 3f1490d57ef6-e1a9463037cso2169562276.2 for ; Fri, 13 Sep 2024 12:54:47 -0700 (PDT) X-Forwarded-Encrypted: i=1; AJvYcCXGAxzDXpyKhSf1ucW3XJJ2qXkFERr2ROmYSw7sOn1WxPxT8r8h9EzqZfGOVe3fnECa+v6TTW/2voc=@lists.php.net X-Gm-Message-State: AOJu0YzjVckMVtPn3JdgOioTVCrTnxFm8+fqoLYRj0drV1c6/02caL0y k8rVFyeBcjsA3e+3+EzS7YPHEJfwzXKc8WzVV7PLYUNE910R7ZAkA6goBZgPuDMh9NualDc+ti5 Kb18rm7UNpcp2UlpQ2xQ2Q2Wt8Vg= X-Google-Smtp-Source: AGHT+IGrnFGH9Fcg3zzrG5Epdms2z6Mcx1w++GYcR67r4rvKOF1cNeeQvDzE/RenH2eSFBC7DBrGXxVAf2jhjp3XyC0= X-Received: by 2002:a05:6902:91d:b0:e0e:cd17:612f with SMTP id 3f1490d57ef6-e1d9db9c820mr7085147276.1.1726257287203; Fri, 13 Sep 2024 12:54:47 -0700 (PDT) Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 References: <64a80dtdj.EU2uYf@akayo.eu> In-Reply-To: Date: Fri, 13 Sep 2024 21:54:37 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PHP-DEV] [GitHub #7913] Vulnerability due to insecure default values for session.cookie_secure and session.cookie_httponly To: Claude Pache Cc: etkaar+0cvptjjwq0@akayo.eu, internals@lists.php.net Content-Type: multipart/alternative; boundary="000000000000651c3506220598b1" X-ZohoMailClient: External From: hello@faizanakram.me (Faizan Akram Dar) --000000000000651c3506220598b1 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, Sep 13, 2024 at 9:51=E2=80=AFPM Claude Pache wrote: > > Le 13 sept. 2024 =C3=A0 16:13, etkaar a =C3=A9crit : > > Hi! > > I've created this issue in January 2022 but it seems it wasn't noticed ye= t (since you probably do watch the mailing lists more than GitHub):https://= github.com/php/php-src/issues/7913 > > Kind Regards, > etkaar > > > Hi, > > * Defaulting `session.cookie_httponly` to `true` seems very reasonable. > > * Beware that if you set `session.cookie_secure` to `true`, you will > break websites that are not served across https. Moreover, the reason of > the breakage may not be evident. > > * You forgot another obvious setting: `session.cookie_samesite` must be > "Lax" by default. > > * We should also consider setting `session.use_strict_mode` to `true`, in > order to mitigate session fixation attacks. > > =E2=80=94Claude > > Hi, Maybe, `session.cookie_secure` could use an additional value like `'auto'` which would enable it for https and disable for http. Symfony does it too https://symfony.com/doc/current/reference/configuration/framework.html#cook= ie-secure Kind regards, Faizan --000000000000651c3506220598b1 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Fri, Sep 13, 2024 at 9:51=E2=80=AFPM C= laude Pache <claude.pache@gmai= l.com> wrote:

Le 13 sept. 2024 =C3=A0 16:13, etkaar <etkaar@akayo.eu> a =C3=A9crit :
Hi!

I've created this issue in January 2022 but it seems it wasn't noti=
ced yet (since you probably do watch the mailing lists more than GitHub):
ht=
tps://github.com/php/php-src/issues/7913

Kind Regards,
etkaar

Hi,

* Defaulting `session.cookie_httponly` to `true` seems very reas= onable.

* Beware that if you set =C2=A0`session.co= okie_secure` to `true`, you will break websites that are not served across = https. Moreover, the reason of the breakage may not be evident.
<= br>
* You forgot another obvious setting: `session.cookie_samesit= e` must be "Lax" by default.

* We should= also consider setting `session.use_strict_mode` to `true`, in order to mit= igate session fixation attacks.

=E2=80=94Claude


Hi,
Maybe, `session.cookie_secure` could use an additional value like `= 9;auto'` which would enable it for https and disable for http. Symfony = does it too=C2=A0https://symfony.com/doc/current/refe= rence/configuration/framework.html#cookie-secure


Kind regards,
Faizan
--000000000000651c3506220598b1--