> Hi All,

> I've just built a website with a simple component that matches businesses
> by type (like computerised dating for manufacturers :-) ). But the client
> has insisted that my work is insecure because the cookies are not set to
> httponly. I do not use cookies in my code. Nor are there any settings for
> cookies in joomla and I have no other extensions installed. Is there a
> technique I am missing?

> Rob

> Request:
> GET http://emc23.com/ HTTP/1.1
> Host: emc23.com
> User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:8.0)
> Gecko/20100101 Firefox/8.0
> Accept: text/html,application/xhtml+xml,application/
> xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip, deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> DNT: 1
> Proxy-Connection: keep-alive
> Cookie:
> 1da6be753397615b2862e9e7112f69d6
> =22bfflpo962cjujglm8dkmaef7; gantry-
> 23993ebf69b5cbb4ac0849e2e77e8edd-
> font-size-is=large

> Relevant Response:
> HTTP/1.1 200 OK
> Cache-Control: no-store, no-cache, must-revalidate,
> post-check=0, pre-check=0
> Pragma: no-cache
> Content-Type: text/html; charset=utf-8
> Expires: Mon, 1 Jan 2001 00:00:00 GMT
> Last-Modified: Mon, 28 Nov 2011 15:26:48 GMT
> Server: Microsoft-IIS/7.0
> X-Powered-By: PHP/5.2.17
> P3P: CP="NOI ADM DEV PSAi COM NAV OUR

> Evidence

> Set-Cookie:

> 11157dc14dcde32b631e222b1e55c08
> 3=deleted; expires=Sun, 28-Nov-2010
> 15:26:33 GMT; path=/
> Set-Cookie: gantry-
> 23993ebf69b5cbb4ac0849e2e77e8edd-
> font-size-is=deleted; expires=Tue, 27-
> Nov-2012 15:26:45 GMT; path=/
> X-Content-Encoded-By: Joomla! 1.5
> X-Powered-By: ASP.NET
> X-App-Hosting: pool=classic
> Date: Mon, 28 Nov 2011 15:26:48 GMT
> Connection: close
> Content-Length: 27468

> <!DOCTYPE html PUBLIC "-//W3C//DTD
> XHTML 1.0 Transitional//EN" "http://
> www.w3.org/TR/xhtml1/DTD/xhtml1-
> transitional.dtd">
> <html xmlns="http://www.w3.org/1999/xhtml"
> xml:lang="en-gb" lang="en-gb" >
> <

> On Monday, 16 April 2012 18:56:28 UTC+10, Techbot wrote:

>> Hi All,

>> I've just built a website with a simple component that matches businesses
>> by type (like computerised dating for manufacturers :-) ). But the client
>> has insisted that my work is insecure because the cookies are not set to
>> httponly. I do not use cookies in my code. Nor are there any settings for
>> cookies in joomla and I have no other extensions installed. Is there a
>> technique I am missing?

>> Rob

>> Request:
>> GET http://emc23.com/ HTTP/1.1
>> Host: emc23.com
>> User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:8.0)
>> Gecko/20100101 Firefox/8.0
>> Accept: text/html,application/xhtml+**xml,application/
>> xml;q=0.9,*/*;q=0.8
>> Accept-Language: en-us,en;q=0.5
>> Accept-Encoding: gzip, deflate
>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>> DNT: 1
>> Proxy-Connection: keep-alive
>> Cookie:
>> 1da6be753397615b2862e9e7112f69**d6
>> =22bfflpo962cjujglm8dkmaef7; gantry-
>> 23993ebf69b5cbb4ac0849e2e77e8e**dd-
>> font-size-is=large

>> Relevant Response:
>> HTTP/1.1 200 OK
>> Cache-Control: no-store, no-cache, must-revalidate,
>> post-check=0, pre-check=0
>> Pragma: no-cache
>> Content-Type: text/html; charset=utf-8
>> Expires: Mon, 1 Jan 2001 00:00:00 GMT
>> Last-Modified: Mon, 28 Nov 2011 15:26:48 GMT
>> Server: Microsoft-IIS/7.0
>> X-Powered-By: PHP/5.2.17
>> P3P: CP="NOI ADM DEV PSAi COM NAV OUR

>> Evidence

>> Set-Cookie:

>> 11157dc14dcde32b631e222b1e55c0**8
>> 3=deleted; expires=Sun, 28-Nov-2010
>> 15:26:33 GMT; path=/
>> Set-Cookie: gantry-
>> 23993ebf69b5cbb4ac0849e2e77e8e**dd-
>> font-size-is=deleted; expires=Tue, 27-
>> Nov-2012 15:26:45 GMT; path=/
>> X-Content-Encoded-By: Joomla! 1.5
>> X-Powered-By: ASP.NET
>> X-App-Hosting: pool=classic
>> Date: Mon, 28 Nov 2011 15:26:48 GMT
>> Connection: close
>> Content-Length: 27468

>> <!DOCTYPE html PUBLIC "-//W3C//DTD
>> XHTML 1.0 Transitional//EN" "http://
>> www.w3.org/TR/xhtml1/DTD/**xhtml1-<http://www.w3.org/TR/xhtml1/DTD/xhtml1->
>> transitional.dtd">
>> <html xmlns="http://www.w3.org/1999/**xhtml<http://www.w3.org/1999/xhtml>
>> "
>> xml:lang="en-gb" lang="en-gb" >
>> <

>>  --
> You received this message because you are subscribed to the Google Groups
> "Joomla! CMS Development" group.
> To view this discussion on the web, visit
> https://groups.google.com/d/msg/joomla-dev-cms/-/uNyTJqkfpqAJ.

> To post to this group, send an email to joomla-dev-cms@googlegroups.com.
> To unsubscribe from this group, send email to
> joomla-dev-cms+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/joomla-dev-cms?hl=en-GB.

> Hi All,

> I've just built a website with a simple component that matches
> businesses by type (like computerised dating for manufacturers :-) ).
> But the client has insisted that my work is insecure because the
> cookies are not set to httponly. I do not use cookies in my code. Nor
> are there any settings for cookies in joomla and I have no other
> extensions installed. Is there a technique I am missing?

> Joomla sets a session cookie.  Anonymous users are still users, their just
> all users with the name anonymous and the group guest.

> Joomla! uses most of the PHP Session functions, so you CAN make changes
> there.
> http://www.php.net/manual/en/function.session-set-cookie-params.php

> So a simple system plugin might do the trick.  Use the beforeRender event
> and run:
> $currentCookieParams = session_get_cookie_params();
> $httpOnly = true;
> session_set_cookie_params(
>     $currentCookieParams["lifetime"],
>     $currentCookieParams["path"],
>     $currentCookieParams["domain"],
>     $currentCookieParams["secure"],
>     $httpOnly
> );

> Rob & Lisa - EMC23

> Thanks
> Rob

> Joomla sets a session cookie.  Anonymous users are still users, their just all users with the name anonymous and the group guest.

> Joomla! uses most of the PHP Session functions, so you CAN make changes there.
> http://www.php.net/manual/en/function.session-set-cookie-params.php

> So a simple system plugin might do the trick.  Use the beforeRender event and run:
> $currentCookieParams = session_get_cookie_params();
> $httpOnly = true;
> session_set_cookie_params(
>     $currentCookieParams["lifetime"],
>     $currentCookieParams["path"],
>     $currentCookieParams["domain"],
>     $currentCookieParams["secure"],
>     $httpOnly
> );

> Rob & Lisa - EMC23
> 083 416 0618
> i...@emc23.com
> www.emc23.com

> --
> You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
> To post to this group, send an email to joomla-dev-cms@googlegroups.com.
> To unsubscribe from this group, send email to joomla-dev-cms+unsubscribe@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/joomla-dev-cms?hl=en-GB.

> It may be worth considering doing this via PHP in the core. But as a warning, it's a really thin layer of security since you can get around it trough AJAX requests.

> Rouven

> On 16.04.2012, at 16:34, Rob Stocker wrote:

> > Excellent Gary,
> > that's exactly what I need to do.

> > Thanks
> > Rob

> > Joomla sets a session cookie.  Anonymous users are still users, their just all users with the name anonymous and the group guest.

> > Joomla! uses most of the PHP Session functions, so you CAN make changes there.
> >http://www.php.net/manual/en/function.session-set-cookie-params.php

> > So a simple system plugin might do the trick.  Use the beforeRender event and run:
> > $currentCookieParams = session_get_cookie_params();
> > $httpOnly = true;
> > session_set_cookie_params(
> >     $currentCookieParams["lifetime"],
> >     $currentCookieParams["path"],
> >     $currentCookieParams["domain"],
> >     $currentCookieParams["secure"],
> >     $httpOnly
> > );

> > Rob & Lisa - EMC23
> > 083 416 0618
> > i...@emc23.com
> >www.emc23.com

> > --
> > You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
> > To post to this group, send an email to joomla-dev-cms@googlegroups.com.
> > To unsubscribe from this group, send email to joomla-dev-cms+unsubscribe@googlegroups.com.
> > For more options, visit this group athttp://groups.google.com/group/joomla-dev-cms?hl=en-GB.

> As far as I know, non-htttponly cookies could be an security issue
> only if you are running 3p javascript on the website (ads, widgets,
> etc) but then there are more risks.

> > As far as I know, non-htttponly cookies could be an security issue
> > only if you are running 3p javascript on the website (ads, widgets,
> > etc) but then there are more risks.

> At the end of the day, if the client wants httponly cookies - it's a lot
> easier to give them httponly cookies then to convince them that the
> security they offer is negligible.