[Bb-trac] [bbPress] #958: bbPress should implement HttpOnly Cookies
to slow down XSS
bbPress
bb-trac at lists.bbpress.org
Wed Sep 3 15:53:33 GMT 2008
#958: bbPress should implement HttpOnly Cookies to slow down XSS
----------------------+-----------------------------------------------------
Reporter: _ck_ | Owner:
Type: defect | Status: new
Priority: normal | Milestone: 1.0-beta & XML-RPC
Component: Back-end | Version:
Severity: normal | Keywords: security, cookies
----------------------+-----------------------------------------------------
While it's far from perfect and there are complex ways around it,
`HttpOnly` Cookies are supported now by all major browsers and will
prevent many kinds of XSS attacks.
`HttpOnly` Cookies simply prevent cookies from being accessed via
javascript's `document.cookie` so an admin's cookie cannot be easily
forwarded to another domain via injected javascript.
The technique is this simple:
{{{
if (PHP_VERSION < 5.2) {
@setcookie( $name, $value, $expires, $path, $domain. '; HttpOnly' );
} else {
@setcookie( $name, $value, $expires, $path, $domain, NULL, TRUE );
}
}}}
--
Ticket URL: <http://trac.bbpress.org/ticket/958>
bbPress <http://bbpress.org/>
Innovative forum development
More information about the Bb-trac
mailing list