Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:16867 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 14478 invoked by uid 1010); 23 Jun 2005 00:15:32 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 14463 invoked from network); 23 Jun 2005 00:15:32 -0000 Received: from unknown (HELO marcus-boerger.de) (127.0.0.1) by localhost with SMTP; 23 Jun 2005 00:15:32 -0000 X-Host-Fingerprint: 81.169.182.136 ajaxatwork.net Linux 2.4/2.6 Received: from ([81.169.182.136:35159] helo=strato.aixcept.de) by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP id E7/F6-22648-32FF9B24 for ; Wed, 22 Jun 2005 20:15:32 -0400 Received: from baumbart.mbo (dsl-082-083-226-040.arcor-ip.net [82.83.226.40]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by strato.aixcept.de (Postfix) with ESMTP id 3E97835C280; Thu, 23 Jun 2005 02:29:38 +0200 (CEST) Date: Thu, 23 Jun 2005 02:15:40 +0200 Reply-To: Marcus Boerger X-Priority: 3 (Normal) Message-ID: <1587152561.20050623021540@marcus-boerger.de> To: Jochen Hansper Cc: internals@lists.php.net In-Reply-To: <1119485004.7376.20.camel@mframe.test-lab> References: <1119485004.7376.20.camel@mframe.test-lab> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] httpOnly Cookies [tiny enhancement] From: mail@marcus-boerger.de (Marcus Boerger) Hello Jochen, please resend your patch as unified patch (cvs di -u). marcus Thursday, June 23, 2005, 2:03:24 AM, you wrote: > Hi, > Internet Explorer 6 SP1 supports the cookie attribute "httponly" which > prevents reading cookies from JavaScript or the like. This can help to > mitigate XSS session hijacking. Browsers not supporting this cookie > attribute are not disturbed if it is present. > AFAIK PHP does not support httponly cookies. So here's a patch that will > add support for it in PHP4. > (files ext/session/session.c and ext/session/session_php.h have to be > changed) > After you apply the changes (and recompile), you can add a line like > this in php.ini: > session.cookie_httponly=1 > It enables httpOnly cookies. Default value ist 0 (off, if line is > missing). > /****diff for session.c****/ > bash#diff ./ext/session/session.c ./ext/session/session_with_httponly.c > 142d141 > < STD_PHP_INI_BOOLEAN("session.cookie_httponly", "0", > PHP_INI_ALL, OnUpdateBool, cookie_httponly, php_ps_globals, > ps_globals) > 857d855 > < #define COOKIE_HTTPONLY "; httponly" > 911,914d908 > < if (PS(cookie_httponly)) { > < smart_str_appends(&ncookie, COOKIE_HTTPONLY); > < } > < > 1140c1134 > < /* {{{ proto void session_set_cookie_params(int lifetime [, string > path [, string domain [, bool secure [, bool httponly]]]]) > --- >> /* {{{ proto void session_set_cookie_params(int lifetime [, string >> path [, string domain [, bool secure]]]) > 1144c1138 > < zval **lifetime, **path, **domain, **secure, **httponly; > --- >> zval **lifetime, **path, **domain, **secure; > 1149,1150c1143,1144 > < if (ZEND_NUM_ARGS() < 1 || ZEND_NUM_ARGS() > 5 || > < zend_get_parameters_ex(ZEND_NUM_ARGS(), &lifetime, > &path, &domain, &secure, &httponly) == FAILURE) > --- >> if (ZEND_NUM_ARGS() < 1 || ZEND_NUM_ARGS() > 4 || >> zend_get_parameters_ex(ZEND_NUM_ARGS(), &lifetime, >> &path, &domain, &secure) == FAILURE) > 1167,1170d1160 > < if (ZEND_NUM_ARGS() > 4) { > < convert_to_long_ex(httponly); > < > zend_alter_ini_entry("session.cookie_httponly", > sizeof("session.cookie_httponly"), Z_BVAL_PP(httponly)?"1":"0", 1, > PHP_INI_USER, PHP_INI_STAGE_RUNTIME); > < } > 1190d1179 > < add_assoc_bool(return_value, "httponly", PS(cookie_httponly)); > /****diff for session_php.h****/ > bash#diff ./ext/session/php_session.h > ./ext/session/php_session_with_httponly.h > 106d105 > < zend_bool cookie_httponly; > --------------------------- > Keep in mind that the added protection by httpOnly cookies can be > circumvented by XST-style attacks... > Hope this is useful.... > Jochen -- Best regards, Marcus mailto:mail@marcus-boerger.de