I've just built a website with a simple component that matches businesses by type (like computerised dating for manufacturers :-) ). But the client has insisted that my work is insecure because the cookies are not set to httponly. I do not use cookies in my code. Nor are there any settings for cookies in joomla and I have no other extensions installed. Is there a technique I am missing?
It appears you're using a template based on the Gantry framework<http://www.gantry-framework.org/>, which uses cookies to store individual user preferences for attributes like font-size or template colour scheme.
On Monday, 16 April 2012 18:56:28 UTC+10, Techbot wrote:
> Hi All,
> I've just built a website with a simple component that matches businesses > by type (like computerised dating for manufacturers :-) ). But the client > has insisted that my work is insecure because the cookies are not set to > httponly. I do not use cookies in my code. Nor are there any settings for > cookies in joomla and I have no other extensions installed. Is there a > technique I am missing?
On Mon, Apr 16, 2012 at 11:31 AM, Craig Phillips <cp21...@gmail.com> wrote: > It appears you're using a template based on the Gantry framework<http://www.gantry-framework.org/>, > which uses cookies to store individual user preferences for attributes like > font-size or template colour scheme.
> On Monday, 16 April 2012 18:56:28 UTC+10, Techbot wrote:
>> Hi All,
>> I've just built a website with a simple component that matches businesses >> by type (like computerised dating for manufacturers :-) ). But the client >> has insisted that my work is insecure because the cookies are not set to >> httponly. I do not use cookies in my code. Nor are there any settings for >> cookies in joomla and I have no other extensions installed. Is there a >> technique I am missing?
> To post to this group, send an email to joomla-dev-cms@googlegroups.com. > To unsubscribe from this group, send email to > joomla-dev-cms+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/joomla-dev-cms?hl=en-GB.
> I've just built a website with a simple component that matches > businesses by type (like computerised dating for manufacturers :-) ). > But the client has insisted that my work is insecure because the > cookies are not set to httponly. I do not use cookies in my code. Nor > are there any settings for cookies in joomla and I have no other > extensions installed. Is there a technique I am missing?
Joomla sets a session cookie. Anonymous users are still users, their just all users with the name anonymous and the group guest.
So a simple system plugin might do the trick. Use the beforeRender event and run: $currentCookieParams=session_get_cookie_params(); $httpOnly = true; session_set_cookie_params( $currentCookieParams["lifetime"], $currentCookieParams["path"], $currentCookieParams["domain"], $currentCookieParams["secure"], $httpOnly );
> So a simple system plugin might do the trick. Use the beforeRender event > and run: > $currentCookieParams = session_get_cookie_params(); > $httpOnly = true; > session_set_cookie_params( > $currentCookieParams["lifetime"], > $currentCookieParams["path"], > $currentCookieParams["domain"], > $currentCookieParams["secure"], > $httpOnly > );
You can actually control this for the session cookie - the only Joomla cookies for which this makes sense - trough the php.ini. Just set session.cookie_httponly to true.
It may be worth considering doing this via PHP in the core. But as a warning, it's a really thin layer of security since you can get around it trough AJAX requests.
> So a simple system plugin might do the trick. Use the beforeRender event and run: > $currentCookieParams = session_get_cookie_params(); > $httpOnly = true; > session_set_cookie_params( > $currentCookieParams["lifetime"], > $currentCookieParams["path"], > $currentCookieParams["domain"], > $currentCookieParams["secure"], > $httpOnly > );
> Rob & Lisa - EMC23 > 083 416 0618 > i...@emc23.com > www.emc23.com
> -- > You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group. > To post to this group, send an email to joomla-dev-cms@googlegroups.com. > To unsubscribe from this group, send email to joomla-dev-cms+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/joomla-dev-cms?hl=en-GB.
As far as I know, non-htttponly cookies could be an security issue
only if you are running 3p javascript on the website (ads, widgets,
etc) but then there are more risks.
On Apr 16, 10:29 pm, Rouven Weßling <m...@rouvenwessling.de> wrote:
> You can actually control this for the session cookie - the only Joomla cookies for which this makes sense - trough the php.ini. Just set session.cookie_httponly to true.
> It may be worth considering doing this via PHP in the core. But as a warning, it's a really thin layer of security since you can get around it trough AJAX requests.
> Rouven
> On 16.04.2012, at 16:34, Rob Stocker wrote:
> > Excellent Gary,
> > that's exactly what I need to do.
> > Thanks
> > Rob
> > Joomla sets a session cookie. Anonymous users are still users, their just all users with the name anonymous and the group guest.
> > So a simple system plugin might do the trick. Use the beforeRender event and run:
> > $currentCookieParams = session_get_cookie_params();
> > $httpOnly = true;
> > session_set_cookie_params(
> > $currentCookieParams["lifetime"],
> > $currentCookieParams["path"],
> > $currentCookieParams["domain"],
> > $currentCookieParams["secure"],
> > $httpOnly
> > );
> > Rob & Lisa - EMC23
> > 083 416 0618
> > i...@emc23.com
> >www.emc23.com
> > --
> > You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
> > To post to this group, send an email to joomla-dev-cms@googlegroups.com.
> > To unsubscribe from this group, send email to joomla-dev-cms+unsubscribe@googlegroups.com.
> > For more options, visit this group athttp://groups.google.com/group/joomla-dev-cms?hl=en-GB.
On Tuesday, April 17, 2012 1:55:37 PM UTC-4, piotr_cz wrote:
> As far as I know, non-htttponly cookies could be an security issue > only if you are running 3p javascript on the website (ads, widgets, > etc) but then there are more risks.
At the end of the day, if the client wants httponly cookies - it's a lot easier to give them httponly cookies then to convince them that the security they offer is negligible.
> On Tuesday, April 17, 2012 1:55:37 PM UTC-4, piotr_cz wrote:
> > As far as I know, non-htttponly cookies could be an security issue
> > only if you are running 3p javascript on the website (ads, widgets,
> > etc) but then there are more risks.
> At the end of the day, if the client wants httponly cookies - it's a lot
> easier to give them httponly cookies then to convince them that the
> security they offer is negligible.
