HttpOnly cookies

HttpOnly cookies

Simon Coggins發表於
Number of replies: 3

I was looking at the Security settings and noticed this in the description of the setting "only http cookies":

Enables new PHP 5.2.0 feature - browsers are instructed to send cookie with real http requests only, cookies should not be accessible by scripting languages. This is not supported in all browsers and it may not be fully compatible with current code. It helps to prevent some types of XSS attacks.

Obviously that comment is quite old, and now that Moodle requires PHP > 5.2 and all modern browsers support it I wonder if it would make sense to turn it on by default?

What I'm not sure about is the line "it may not be fully compatible with current code". Does anyone know of any code that uses JS to access the session cookie intentionally?

Simon

評比平均分數: -
In reply to Simon Coggins

Re: HttpOnly cookies

Rex Lorenzo發表於

Yeah, I wonder about that too. I just checked and we haven't enabled that on our site. I am guessing it is because of the message that it may not be fully compatible.

Anyone running in production with this setting enabled?

評比平均分數: -
In reply to Simon Coggins

Re: HttpOnly cookies

Dan Poltawski發表於

It was introduced way back in 2008 in commit 4ea8df2, linked to bug MDL-13623. But I'm afraid Petr doesn't offer any insight into what 'may not be fully compatible with scripting technologies we have in code' means. I've pinged him on that bug.

評比平均分數: -
In reply to Dan Poltawski

Re: HttpOnly cookies

Matteo Scaramuccia發表於

Hi All,
I can share my own experience: the potential issue linked to enabling such restriction is to deny plug-ins like Flash and Java to access those cookies of the HTTP Request context from which they've been loaded; that means that they cannot push back the same payload if they are required to connect to Moodle by themselves.

Real life examples? SCORM module - yes, I play quite a lot with them 眨眼 -: if your vendor makes usage of such plug-ins and they need to contact Moodle via HTTP - read e.g. Flash to load TXT/XML files from within the package or let AICC work if the plug-in is used to manage the HACP talk - they will fail due to the require_login() restrictions not satisfied by the lack of the authentication related cookies.

HTH,
Matteo

評比平均分數:Useful (3)