SecureHeaders icon indicating copy to clipboard operation
SecureHeaders copied to clipboard

Published 20 hours ago verified publisher icon aidantwoods

Auto protected session cookie

Open staabm opened this issue 8 years ago • 5 comments

Atm the lib uses a hardcoded list of possible cookie names/substring.

https://github.com/aidantwoods/SecureHeaders/blob/f60c3b752114036fbf621a813ead3c3dc7b4c34a/src/SecureHeaders.php#L77

Wouldnt it make sense to detect whether sessions are handled via cookies and if so add the session cookies name to the protectedCookies list?

staabm avatar Aug 28 '17 18:08 staabm

Wouldnt it make sense to detect whether sessions are handled via cookies and if so add the session cookies name to the protectedCookies list?

I like the idea here :D

So the suggestion is to poll session_name and use the result from that as a protected cookie name, alongside the existing names and substrings?

aidantwoods avatar Aug 28 '17 22:08 aidantwoods

Exactly. I would check before whether the session will be cookie based

staabm avatar Aug 28 '17 22:08 staabm

See session.use_cookies on http://php.net/manual/en/session.configuration.php

staabm avatar Aug 28 '17 22:08 staabm

Yup, I'll take a look at doing that – cheers for the links.

In-fact, if a session isn't cookie based, I wonder whether SecureHeaders should say something to encourage use of cookies to allow better protection methods by the browser (and also so the application doesn't leak the SID on navigation if an insufficient referrer policy is set).

Though, since 2.0 the default header set will issue a referrer policy to protect that leakiness on navigation, still might be worth the added sanity check if we're already polling the ini for the cookie name and other session info.

aidantwoods avatar Aug 28 '17 22:08 aidantwoods

Oops I left this a while longer than I wanted too 😬 I'll pick up on this up later today hopefully

aidantwoods avatar Sep 27 '17 10:09 aidantwoods