Re: [GitHub #7913] Vulnerability due to insecure default values for session.cookie_secure and session.cookie_httponly
On Fri, Sep 13, 2024 at 9:51 PM Claude Pache <[email protected]> wrote:
>
> Le 13 sept. 2024 à 16:13, etkaar <[email protected]> a écrit :
>
> Hi!
>
> I've created this issue in January 2022 but it seems it wasn't noticed yet (since you
> probably do watch the mailing lists more than GitHub):https://github.com/php/php-src/issues/7913
>
> Kind Regards,
> etkaar
>
>
> Hi,
>
> * Defaulting session.cookie_httponly to true seems very reasonable.
>
> * Beware that if you set session.cookie_secure to true, you will
> break websites that are not served across https. Moreover, the reason of
> the breakage may not be evident.
>
> * You forgot another obvious setting: session.cookie_samesite must be
> "Lax" by default.
>
> * We should also consider setting session.use_strict_mode to true, in
> order to mitigate session fixation attacks.
>
> —Claude
>
>
Hi,
Maybe, session.cookie_secure could use an additional value like
'auto'
which would enable it for https and disable for http. Symfony does it too
https://symfony.com/doc/current/reference/configuration/framework.html#cookie-secure
Kind regards,
Faizan
Thread (3 messages)