Guide to PHP SecurityQuicksearchCalendar
|
Thursday, August 10. 2006httpOnly cookie flag support in PHP 5.2
Thanks to a patch from Scott MacVicar that I've just applied to CVS, PHP 5.2 will have support for httpOnly cookie flag. This neat little feature allows you to mark a newly created cookie as HTTP only, another words inaccessible to browser based scripting languages such as JavaScript. This means it would become far more difficult, if not impossible to steal a user's cookie based session by injecting JavaScript into a page and then using to read cookies.
This flag can be toggled by passing TRUE as the 7th parameter to the setcookie() and the setrawcookie() functions respectively. Ex: PHP: The support of the httpOnly flag extends to the session extension as well, where it can be enabled by setting the session.cookie_httponly INI setting to 1. Or passing TRUE as the 5th parameter to the session_set_cookie_params() function. PHP: Unfortunately, at this time according to my tests no other browser has adopted this rather handy feature, but with the continual increase of XSS attacks, I am sure they'll adopt this concept soon. For people using PHP 4 and PHP 5.1 you can add this flag yourself by sending cookies manually via the header function and prefixing the ;httpOnly flag to the cookie as shown in the example below: PHP: 
Comments
Display comments as
(Linear | Threaded)
YAY! Thanks Scott and Ilia!
I will amend the OWASP Guide 3.0 to include this information. Andrew
I did some test prior to creating the patch and IE 6 SP1, Opera 9.01 and Konqueror had support. Safari may have support though I'm unaware of how much of KHTML they use.
Firefox currently has a patch but are being cautious in breaking backwards compatibility with the cookie file format. It should be noted that this doesn't fix XSS attacks and is only useful when the cookies contain sensitive information, an attacker could still insert a script which executes an attack by manipulating the content of a page via the DOM.
I have latest Safari here and a basic test showed that it completely ignores the httpOnly flag
 I've also just downloaded Opera 9.01 for Mac, and it too ignores the httpOnly flag.
Appears you are correct with the Opera 9.01, enabling cookies might have helped
 I'll drop our QA contact at Opera an email tomorrow and open a webkit bugzilla report too regarding it.
Confirmed httponly only working with IE6 and IE7b3 here. Tested against Opera 9.1, Firefox 1.5.2, Safari 2.0.4. Does not break any of the listed browsers.
Thanks! I already added support for that to Agavi (http://www.agavi.org/).
Good news!
Will be waiting for support this feature by popular browsers....
Is the cookie specification being amended/revised to add the httpOnly flag, or is this something that one browser developer thought up? In short, I'm just curious to know who developed the idea of httpOnly and who is driving its adoption?
Well, doing a google search brings up a lot about IE, but http://weblogs.mozillazine.org/gerv/archives/2006/07/httponly_for_firefox.html brings up more information. It is a not a standard officially, but I'm sure it will be made one in the far future.
The functionality is a Microsoft invention, the full doc on the feature can be found here:
http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp At this time as far as I can tell no other browser supports this functionality.
Andrew lists browser support here:
http://greebo.net/?p=364 As far as I know, Mozilla/Firefox is the only major browser that doesn't support HttpOnly, and it has something to do with not wanting to change the format of the cookies file.
His tests are invalid. I can confirm with Safari and Opera 9.01 that it is possible to read httpOnly cookies with JavaScript.
Nice work! I've recently been researching this, so looking forward for 5.2 to be released
Thanks!
I think that stealing an httpOnly cookie is possible when you have an XSS vulnerability and the web server supports HEAD requests. But of course it is much more difficult to steal the cookie than without httpOnly.
Generally I like the httpOnly approach very much, even though it is coming from Microsoft. Maybe it would be a good idea to send out PHP's session cookies with the HttpOnly flag, as ASP.NET 2.0 does? Browsers other than IE then ignore the flag, therefore nothing breaks; and IE then disallows JavaScript access to the cookie (which is probably not used by many applications ). What do you think?
I'd be weary of enabling it by default for the session extension, given that some people maybe trying to access their PHP session id with JavaScript (intentionally), I've seen this happen in real life. But that's something that can be considered later.
It is also important to note that some browsers do break with this flag, IE on a mac is one notable example.
Not to appear rude - but I was hoping that PHP was becoming LESS of a mess. Why haphazardly add stuff until it's decided how it's going to turn out? I mean, come on, just LOOK at that. Ok, sure, it's a useful addition..it's still ugly as sin.
PHP was never about "pretty" it was about providing efficient tools to get the job done is the shortest time possible
You don't have to wait for PHP 5.2, you can start using this now - without handrolling set-cookie headers thanks to a lax check in the PHP source code:
http://blog.mattmecham.com/archives/2006/09/http_only_cookies_without_php.html
Here is a funny hack that brings httpOnly cookie support to Firefox.
http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html
HttpOnly-flag is not 100% protection against XSS. It's just another barrier of site protection.
Opera just added support for the httpOnly cookies in its latest alpha build, it's there under Miscellaneous :
http://snapshot.opera.com/windows/w950a1.html
Firefox 2.0.0.5 have finally support for httponly http://forums.mozillazine.org/viewtopic.php?p=2965188
That's good to see php ready for that flag, of course this is not a 100% xss protection, but anyway, we should do everything possible in case we forgot to escape something.. (even google have xss, that's mean everyone can have) Now browsers&plugins developers(like flash) must make sure what a cookie with httponly can't be seen by client side scripts. |
My Flickr Stream
ArchivesCategoriesSyndicate This BlogBlog Administration |
|||||||||||||||||||||||||||||||||||||||||||||||||
Comments