General developer forum

HttpOnly cookies

Simon Coggins
HttpOnly cookies
Core developersPlugin developers

I was looking at the Security settings and noticed this in the description of the setting "only http cookies":

Enables new PHP 5.2.0 feature - browsers are instructed to send cookie with real http requests only, cookies should not be accessible by scripting languages. This is not supported in all browsers and it may not be fully compatible with current code. It helps to prevent some types of XSS attacks.

Obviously that comment is quite old, and now that Moodle requires PHP > 5.2 and all modern browsers support it I wonder if it would make sense to turn it on by default?

What I'm not sure about is the line "it may not be fully compatible with current code". Does anyone know of any code that uses JS to access the session cookie intentionally?


Average of ratings: -
Picture of Rex Lorenzo
Re: HttpOnly cookies
Core developersParticularly helpful MoodlersPlugin developersPlugins guardiansTesters

Yeah, I wonder about that too. I just checked and we haven't enabled that on our site. I am guessing it is because of the message that it may not be fully compatible.

Anyone running in production with this setting enabled?

Average of ratings: -
Dan at desk in Moodle HQ, Perth
Re: HttpOnly cookies
Core developersMoodle Course Creator Certificate holdersMoodle HQPlugin developersTesters

It was introduced way back in 2008 in commit 4ea8df2, linked to bug MDL-13623. But I'm afraid Petr doesn't offer any insight into what 'may not be fully compatible with scripting technologies we have in code' means. I've pinged him on that bug.

Average of ratings: -
Picture of Matteo Scaramuccia
Re: HttpOnly cookies
Core developersParticularly helpful MoodlersPlugin developers

Hi All,
I can share my own experience: the potential issue linked to enabling such restriction is to deny plug-ins like Flash and Java to access those cookies of the HTTP Request context from which they've been loaded; that means that they cannot push back the same payload if they are required to connect to Moodle by themselves.

Real life examples? SCORM module - yes, I play quite a lot with them wink -: if your vendor makes usage of such plug-ins and they need to contact Moodle via HTTP - read e.g. Flash to load TXT/XML files from within the package or let AICC work if the plug-in is used to manage the HACP talk - they will fail due to the require_login() restrictions not satisfied by the lack of the authentication related cookies.


Average of ratings: Useful (2)