Hi,
Internet Explorer 6 SP1 supports the cookie attribute "httponly" which
prevents reading cookies from JavaScript or the like. This can help to
mitigate XSS session hijacking. Browsers not supporting this cookie
attribute are not disturbed if it is present.
AFAIK PHP does not support httponly cookies. So here's a patch that will
add support for it in PHP4.
(files ext/session/session.c and ext/session/session_php.h have to be
changed)
After you apply the changes (and recompile), you can add a line like
this in php.ini:
session.cookie_httponly=1
It enables httpOnly cookies. Default value ist 0 (off, if line is
missing).
/diff for session.c/
bash#diff ./ext/session/session.c ./ext/session/session_with_httponly.c
142d141
< STD_PHP_INI_BOOLEAN("session.cookie_httponly", "0", PHP_INI_ALL, OnUpdateBool, cookie_httponly, php_ps_globals, ps_globals)
857d855
< #define COOKIE_HTTPONLY "; httponly"
911,914d908
< if (PS(cookie_httponly)) {
< smart_str_appends(&ncookie, COOKIE_HTTPONLY);
< }
<
1140c1134
< /* {{{ proto void session_set_cookie_params(int lifetime [, string path [, string domain [, bool secure [, bool httponly]]]])
/* {{{ proto void session_set_cookie_params(int lifetime [, string path [, string domain [, bool secure]]])
1144c1138
< zval **lifetime, **path, **domain, **secure, **httponly;
zval **lifetime, **path, **domain, **secure;
1149,1150c1143,1144
< if (ZEND_NUM_ARGS() < 1 || ZEND_NUM_ARGS() > 5 ||
< zend_get_parameters_ex(ZEND_NUM_ARGS(), &lifetime, &path, &domain, &secure, &httponly) == FAILURE)
if (ZEND_NUM_ARGS() < 1 || ZEND_NUM_ARGS() > 4 || zend_get_parameters_ex(ZEND_NUM_ARGS(), &lifetime, &path, &domain, &secure) == FAILURE)
1167,1170d1160
< if (ZEND_NUM_ARGS() > 4) {
< convert_to_long_ex(httponly);
< zend_alter_ini_entry("session.cookie_httponly", sizeof("session.cookie_httponly"), Z_BVAL_PP(httponly)?"1":"0", 1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
< }
1190d1179
< add_assoc_bool(return_value, "httponly", PS(cookie_httponly));
/diff for session_php.h/
bash#diff ./ext/session/php_session.h ./ext/session/php_session_with_httponly.h
106d105
< zend_bool cookie_httponly;
Keep in mind that the added protection by httpOnly cookies can be circumvented by XST-style attacks...
Hope this is useful....
Jochen
Hello Jochen,
please resend your patch as unified patch (cvs di -u).
marcus
Thursday, June 23, 2005, 2:03:24 AM, you wrote:
Hi,
Internet Explorer 6 SP1 supports the cookie attribute "httponly" which
prevents reading cookies from JavaScript or the like. This can help to
mitigate XSS session hijacking. Browsers not supporting this cookie
attribute are not disturbed if it is present.
AFAIK PHP does not support httponly cookies. So here's a patch that will
add support for it in PHP4.
(files ext/session/session.c and ext/session/session_php.h have to be
changed)
After you apply the changes (and recompile), you can add a line like
this in php.ini:
session.cookie_httponly=1
It enables httpOnly cookies. Default value ist 0 (off, if line is
missing).
/diff for session.c/
bash#diff ./ext/session/session.c ./ext/session/session_with_httponly.c
142d141
< STD_PHP_INI_BOOLEAN("session.cookie_httponly", "0",
PHP_INI_ALL, OnUpdateBool, cookie_httponly, php_ps_globals,
ps_globals)
857d855
< #define COOKIE_HTTPONLY "; httponly"
911,914d908
< if (PS(cookie_httponly)) {
< smart_str_appends(&ncookie, COOKIE_HTTPONLY);
< }
<
1140c1134
< /* {{{ proto void session_set_cookie_params(int lifetime [, string
path [, string domain [, bool secure [, bool httponly]]]])/* {{{ proto void session_set_cookie_params(int lifetime [, string
path [, string domain [, bool secure]]])
1144c1138
< zval **lifetime, **path, **domain, **secure, **httponly;
zval **lifetime, **path, **domain, **secure;1149,1150c1143,1144
< if (ZEND_NUM_ARGS() < 1 || ZEND_NUM_ARGS() > 5 ||
< zend_get_parameters_ex(ZEND_NUM_ARGS(), &lifetime,
&path, &domain, &secure, &httponly) == FAILURE)if (ZEND_NUM_ARGS() < 1 || ZEND_NUM_ARGS() > 4 || zend_get_parameters_ex(ZEND_NUM_ARGS(), &lifetime,&path, &domain, &secure) == FAILURE)
1167,1170d1160
< if (ZEND_NUM_ARGS() > 4) {
< convert_to_long_ex(httponly);
<
zend_alter_ini_entry("session.cookie_httponly",
sizeof("session.cookie_httponly"), Z_BVAL_PP(httponly)?"1":"0", 1,
PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
< }
1190d1179
< add_assoc_bool(return_value, "httponly", PS(cookie_httponly));
/diff for session_php.h/
bash#diff ./ext/session/php_session.h
./ext/session/php_session_with_httponly.h
106d105
< zend_bool cookie_httponly;
Keep in mind that the added protection by httpOnly cookies can be
circumvented by XST-style attacks...
Hope this is useful....
Jochen
--
Best regards,
Marcus mailto:mail@marcus-boerger.de
Hello Marcus,
patches for official php-4.3.11 release in attachment... (diff -Naur)
Jochen
[php_session.h.patch; session.c.patch]
Am Donnerstag, den 23.06.2005, 02:15 +0200 schrieb Marcus Boerger:
Hello Jochen,
please resend your patch as unified patch (cvs di -u).
marcus
Thursday, June 23, 2005, 2:03:24 AM, you wrote:
Seems to be a good idea, but not for PHP 4 (closed for new features).
Official description:
http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
Nuno
----- Original Message -----
Hello Marcus,
patches for official php-4.3.11 release in attachment... (diff -Naur)
Jochen
[php_session.h.patch; session.c.patch]
Am Donnerstag, den 23.06.2005, 02:15 +0200 schrieb Marcus Boerger:
Hello Jochen,
please resend your patch as unified patch (cvs di -u).
marcus
Thursday, June 23, 2005, 2:03:24 AM, you wrote:
Provide the patch against CVS HEAD branch.
(either get the sources via CVS or as snapshot from http://snaps.php.net)
--Jani
Hello Marcus,
patches for official php-4.3.11 release in attachment... (diff -Naur)
Jochen
[php_session.h.patch; session.c.patch]
Am Donnerstag, den 23.06.2005, 02:15 +0200 schrieb Marcus Boerger:
Hello Jochen,
please resend your patch as unified patch (cvs di -u).
marcus
Thursday, June 23, 2005, 2:03:24 AM, you wrote:
--
Donate @ http://pecl.php.net/wishlist.php/sniper
Hi,
Supporting the httpOnly thing is good, but is a php.ini setting better than
another setcookie() parameter? I thought that's how it would be
implemented... Well, I guess we can use ini_set().
Matt
----- Original Message -----
From: "Jochen Hansper" hansper@t-online.de
Sent: Wednesday, June 22, 2005 7:03 PM
Subject: [PHP-DEV] httpOnly Cookies [tiny enhancement]
Hi,
Internet Explorer 6 SP1 supports the cookie attribute "httponly" which
prevents reading cookies from JavaScript or the like. This can help to
mitigate XSS session hijacking. Browsers not supporting this cookie
attribute are not disturbed if it is present.AFAIK PHP does not support httponly cookies. So here's a patch that will
add support for it in PHP4.
(files ext/session/session.c and ext/session/session_php.h have to be
changed)After you apply the changes (and recompile), you can add a line like
this in php.ini:session.cookie_httponly=1
It enables httpOnly cookies. Default value ist 0 (off, if line is
missing).
Hi,
I'm sorry, I didn't even see that this is for sessions! :-/ Nevermind...
Matt
----- Original Message -----
From: "Matt W" php_lists@realplain.com
Sent: Wednesday, June 22, 2005 7:36 PM
Subject: Re: [PHP-DEV] httpOnly Cookies [tiny enhancement]
Hi,
Supporting the httpOnly thing is good, but is a php.ini setting better
than
anothersetcookie()parameter? I thought that's how it would be
implemented... Well, I guess we can useini_set().Matt
----- Original Message -----
From: "Jochen Hansper" hansper@t-online.de
Sent: Wednesday, June 22, 2005 7:03 PM
Subject: [PHP-DEV] httpOnly Cookies [tiny enhancement]Hi,
Internet Explorer 6 SP1 supports the cookie attribute "httponly" which
prevents reading cookies from JavaScript or the like. This can help to
mitigate XSS session hijacking. Browsers not supporting this cookie
attribute are not disturbed if it is present.AFAIK PHP does not support httponly cookies. So here's a patch that
will
add support for it in PHP4.
(files ext/session/session.c and ext/session/session_php.h have to be
changed)After you apply the changes (and recompile), you can add a line like
this in php.ini:session.cookie_httponly=1
It enables httpOnly cookies. Default value ist 0 (off, if line is
missing).