Set cookies to Httponly?
1,461 views
Skip to first unread message
Techbot
Apr 16, 2012, 4:56:28 AM4/16/12
to joomla-...@googlegroups.com
Hi All,
I've just built a website with a simple component that matches businesses by type (like computerised dating for manufacturers :-) ). But the client has insisted that my work is insecure because the cookies are not set to httponly. I do not use cookies in my code. Nor are there any settings for cookies in joomla and I have no other extensions installed. Is there a technique I am missing?
Rob
Request:
GET http://emc23.com/ HTTP/1.1
Host: emc23.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:8.0)
Gecko/20100101 Firefox/8.0
Accept: text/html,application/xhtml+xml,application/
xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Proxy-Connection: keep-alive
Cookie:
1da6be753397615b2862e9e7112f69d6
=22bfflpo962cjujglm8dkmaef7; gantry-
23993ebf69b5cbb4ac0849e2e77e8edd-
font-size-is=large
Relevant Response:
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate,
post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Mon, 28 Nov 2011 15:26:48 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: PHP/5.2.17
P3P: CP="NOI ADM DEV PSAi COM NAV OUR
Evidence
Set-Cookie:
11157dc14dcde32b631e222b1e55c08
3=deleted; expires=Sun, 28-Nov-2010
15:26:33 GMT; path=/
Set-Cookie: gantry-
23993ebf69b5cbb4ac0849e2e77e8edd-
font-size-is=deleted; expires=Tue, 27-
Nov-2012 15:26:45 GMT; path=/
X-Content-Encoded-By: Joomla! 1.5
X-Powered-By: ASP.NET
X-App-Hosting: pool=classic
Date: Mon, 28 Nov 2011 15:26:48 GMT
Connection: close
Content-Length: 27468
<!DOCTYPE html PUBLIC "-//W3C//DTD
XHTML 1.0 Transitional//EN" "http://
www.w3.org/TR/xhtml1/DTD/xhtml1-
transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xml:lang="en-gb" lang="en-gb" >
<
Craig Phillips
Apr 16, 2012, 6:31:45 AM4/16/12
to joomla-...@googlegroups.com
It appears you're using a template based on the Gantry framework, which uses cookies to store individual user preferences for attributes like font-size or template colour scheme.
Rob Stocker
Apr 16, 2012, 6:40:18 AM4/16/12
to joomla-...@googlegroups.com
:-)
Hi Craig,
I just inherited this site and never paid attention to the template. I assumed it was a static affair.
Thank you very much.
regards
Rob
--
Rob & Lisa - EMC23
083 416 0618
in...@emc23.com
www.emc23.com
Hi Craig,
I just inherited this site and never paid attention to the template. I assumed it was a static affair.
Thank you very much.
regards
Rob
To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-cms/-/uNyTJqkfpqAJ.--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To post to this group, send an email to joomla-...@googlegroups.com.
To unsubscribe from this group, send email to joomla-dev-cm...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/joomla-dev-cms?hl=en-GB.
--
Rob & Lisa - EMC23
083 416 0618
in...@emc23.com
www.emc23.com
Gary Mort
Apr 16, 2012, 10:00:36 AM4/16/12
to joomla-...@googlegroups.com
On 4/16/2012 4:56 AM, Techbot wrote:
Hi All,
I've just built a website with a simple component that matches businesses by type (like computerised dating for manufacturers :-) ). But the client has insisted that my work is insecure because the cookies are not set to httponly. I do not use cookies in my code. Nor are there any settings for cookies in joomla and I have no other extensions installed. Is there a technique I am missing?
Joomla sets a session cookie. Anonymous users are still users,
their just all users with the name anonymous and the group guest.
Joomla! uses most of the PHP Session functions, so you CAN make changes there.
http://www.php.net/manual/en/function.session-set-cookie-params.php
So a simple system plugin might do the trick. Use the beforeRender event and run:
$currentCookieParams = session_get_cookie_params();
$httpOnly = true;
session_set_cookie_params(
$currentCookieParams["lifetime"],
$currentCookieParams["path"],
$currentCookieParams["domain"],
$currentCookieParams["secure"],
$httpOnly
);
Joomla! uses most of the PHP Session functions, so you CAN make changes there.
http://www.php.net/manual/en/function.session-set-cookie-params.php
So a simple system plugin might do the trick. Use the beforeRender event and run:
$currentCookieParams = session_get_cookie_params();
$httpOnly = true;
session_set_cookie_params(
$currentCookieParams["lifetime"],
$currentCookieParams["path"],
$currentCookieParams["domain"],
$currentCookieParams["secure"],
$httpOnly
);
Rob Stocker
Apr 16, 2012, 10:34:38 AM4/16/12
to joomla-...@googlegroups.com
Excellent Gary,
that's exactly what I need to do.
Thanks
Rob
that's exactly what I need to do.
Thanks
Rob
Joomla sets a session cookie. Anonymous users are still users, their just all users with the name anonymous and the group guest.
Joomla! uses most of the PHP Session functions, so you CAN make changes there.
http://www.php.net/manual/en/function.session-set-cookie-params.php
So a simple system plugin might do the trick. Use the beforeRender event and run:
$currentCookieParams = session_get_cookie_params();
$httpOnly = true;
session_set_cookie_params(
$currentCookieParams["lifetime"],
$currentCookieParams["path"],
$currentCookieParams["domain"],
$currentCookieParams["secure"],
$httpOnly
);
Rouven Weßling
Apr 16, 2012, 4:29:14 PM4/16/12
to joomla-...@googlegroups.com
You can actually control this for the session cookie - the only Joomla cookies for which this makes sense - trough the php.ini. Just set session.cookie_httponly to true.
It may be worth considering doing this via PHP in the core. But as a warning, it's a really thin layer of security since you can get around it trough AJAX requests.
Rouven
> --
> You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
piotr_cz
Apr 17, 2012, 1:55:37 PM4/17/12
to Joomla! CMS Development
As far as I know, non-htttponly cookies could be an security issue
only if you are running 3p javascript on the website (ads, widgets,
etc) but then there are more risks.
On Apr 16, 10:29 pm, Rouven Weßling <m...@rouvenwessling.de> wrote:
> You can actually control this for the session cookie - the only Joomla cookies for which this makes sense - trough the php.ini. Just set session.cookie_httponly to true.
>
> It may be worth considering doing this via PHP in the core. But as a warning, it's a really thin layer of security since you can get around it trough AJAX requests.
>
> Rouven
>
> On 16.04.2012, at 16:34, Rob Stocker wrote:
>
>
>
>
>
>
>
> > Excellent Gary,
> > that's exactly what I need to do.
>
> > Thanks
> > Rob
>
> > Joomla sets a session cookie. Anonymous users are still users, their just all users with the name anonymous and the group guest.
>
> > Joomla! uses most of the PHP Session functions, so you CAN make changes there.
> >http://www.php.net/manual/en/function.session-set-cookie-params.php
>
> > So a simple system plugin might do the trick. Use the beforeRender event and run:
> > $currentCookieParams = session_get_cookie_params();
> > $httpOnly = true;
> > session_set_cookie_params(
> > $currentCookieParams["lifetime"],
> > $currentCookieParams["path"],
> > $currentCookieParams["domain"],
> > $currentCookieParams["secure"],
> > $httpOnly
> > );
>
> > Rob & Lisa - EMC23
> > 083 416 0618
> > i...@emc23.com
only if you are running 3p javascript on the website (ads, widgets,
etc) but then there are more risks.
On Apr 16, 10:29 pm, Rouven Weßling <m...@rouvenwessling.de> wrote:
> You can actually control this for the session cookie - the only Joomla cookies for which this makes sense - trough the php.ini. Just set session.cookie_httponly to true.
>
> It may be worth considering doing this via PHP in the core. But as a warning, it's a really thin layer of security since you can get around it trough AJAX requests.
>
> Rouven
>
> On 16.04.2012, at 16:34, Rob Stocker wrote:
>
>
>
>
>
>
>
> > Excellent Gary,
> > that's exactly what I need to do.
>
> > Thanks
> > Rob
>
> > Joomla sets a session cookie. Anonymous users are still users, their just all users with the name anonymous and the group guest.
>
> > Joomla! uses most of the PHP Session functions, so you CAN make changes there.
> >http://www.php.net/manual/en/function.session-set-cookie-params.php
>
> > So a simple system plugin might do the trick. Use the beforeRender event and run:
> > $currentCookieParams = session_get_cookie_params();
> > $httpOnly = true;
> > session_set_cookie_params(
> > $currentCookieParams["lifetime"],
> > $currentCookieParams["path"],
> > $currentCookieParams["domain"],
> > $currentCookieParams["secure"],
> > $httpOnly
> > );
>
> > Rob & Lisa - EMC23
> > 083 416 0618
garyamort
Apr 18, 2012, 3:08:32 PM4/18/12
to joomla-...@googlegroups.com
On Tuesday, April 17, 2012 1:55:37 PM UTC-4, piotr_cz wrote:
As far as I know, non-htttponly cookies could be an security issue
only if you are running 3p javascript on the website (ads, widgets,
etc) but then there are more risks.
At the end of the day, if the client wants httponly cookies - it's a lot easier to give them httponly cookies then to convince them that the security they offer is negligible.
piotr_cz
Apr 19, 2012, 4:08:42 AM4/19/12
to Joomla! CMS Development
Unfortunately you are right.
Just wish everybody the least of this kind of clients.
Just wish everybody the least of this kind of clients.
Reply all
Reply to author
Forward
0 new messages