Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:16866 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 11769 invoked by uid 1010); 23 Jun 2005 00:03:35 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 11754 invoked from network); 23 Jun 2005 00:03:35 -0000 Received: from unknown (HELO t-online.de) (127.0.0.1) by localhost with SMTP; 23 Jun 2005 00:03:35 -0000 X-Host-Fingerprint: 194.25.134.82 mailout05.sul.t-online.com Linux 2.4/2.6 Received: from ([194.25.134.82:56607] helo=mailout05.sul.t-online.com) by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP id 96/B6-22648-65CF9B24 for ; Wed, 22 Jun 2005 20:03:34 -0400 Received: from fwd26.aul.t-online.de by mailout05.sul.t-online.com with smtp id 1DlFBr-0005kr-01; Thu, 23 Jun 2005 02:03:31 +0200 Received: from mframe.test-lab (VgyDqcZDQej7i143IQfZG14Bj4i1o8mAVJ3iBqbXDgE8OR89JNYIwy@[84.165.77.98]) by fwd26.sul.t-online.de with esmtp id 1DlFBk-0XbGWO0; Thu, 23 Jun 2005 02:03:24 +0200 To: internals@lists.php.net Content-Type: text/plain Date: Thu, 23 Jun 2005 02:03:24 +0200 Message-ID: <1119485004.7376.20.camel@mframe.test-lab> Mime-Version: 1.0 X-Mailer: Evolution 2.2.1 Content-Transfer-Encoding: 7bit X-ID: VgyDqcZDQej7i143IQfZG14Bj4i1o8mAVJ3iBqbXDgE8OR89JNYIwy X-TOI-MSGID: f7c752cb-8431-42ae-97b8-cca8e726b74f Subject: httpOnly Cookies [tiny enhancement] From: hansper@t-online.de (Jochen Hansper) Hi, Internet Explorer 6 SP1 supports the cookie attribute "httponly" which prevents reading cookies from JavaScript or the like. This can help to mitigate XSS session hijacking. Browsers not supporting this cookie attribute are not disturbed if it is present. AFAIK PHP does not support httponly cookies. So here's a patch that will add support for it in PHP4. (files ext/session/session.c and ext/session/session_php.h have to be changed) After you apply the changes (and recompile), you can add a line like this in php.ini: session.cookie_httponly=1 It enables httpOnly cookies. Default value ist 0 (off, if line is missing). /****diff for session.c****/ bash#diff ./ext/session/session.c ./ext/session/session_with_httponly.c 142d141 < STD_PHP_INI_BOOLEAN("session.cookie_httponly", "0", PHP_INI_ALL, OnUpdateBool, cookie_httponly, php_ps_globals, ps_globals) 857d855 < #define COOKIE_HTTPONLY "; httponly" 911,914d908 < if (PS(cookie_httponly)) { < smart_str_appends(&ncookie, COOKIE_HTTPONLY); < } < 1140c1134 < /* {{{ proto void session_set_cookie_params(int lifetime [, string path [, string domain [, bool secure [, bool httponly]]]]) --- > /* {{{ proto void session_set_cookie_params(int lifetime [, string path [, string domain [, bool secure]]]) 1144c1138 < zval **lifetime, **path, **domain, **secure, **httponly; --- > zval **lifetime, **path, **domain, **secure; 1149,1150c1143,1144 < if (ZEND_NUM_ARGS() < 1 || ZEND_NUM_ARGS() > 5 || < zend_get_parameters_ex(ZEND_NUM_ARGS(), &lifetime, &path, &domain, &secure, &httponly) == FAILURE) --- > if (ZEND_NUM_ARGS() < 1 || ZEND_NUM_ARGS() > 4 || > zend_get_parameters_ex(ZEND_NUM_ARGS(), &lifetime, &path, &domain, &secure) == FAILURE) 1167,1170d1160 < if (ZEND_NUM_ARGS() > 4) { < convert_to_long_ex(httponly); < zend_alter_ini_entry("session.cookie_httponly", sizeof("session.cookie_httponly"), Z_BVAL_PP(httponly)?"1":"0", 1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME); < } 1190d1179 < add_assoc_bool(return_value, "httponly", PS(cookie_httponly)); /****diff for session_php.h****/ bash#diff ./ext/session/php_session.h ./ext/session/php_session_with_httponly.h 106d105 < zend_bool cookie_httponly; --------------------------- Keep in mind that the added protection by httpOnly cookies can be circumvented by XST-style attacks... Hope this is useful.... Jochen