Add cookie prefix '-__Secure-' to cookies to help prevent cookie smuggling (issue18608) #19141
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…refix ' __Secure-' to each cookie name when 'isHttps()' is true, Apparently the prefix will be recognised and enforced by most browsers (ignored by the older ones).Update Config.php The raison d'aitre for this PR is contained in my issue # 18608. This PR will replace the line 953, part of the GetCookieName function : return $cookieName . ( $this->isHttps ? '_https' : '' ); with the amended line: return ( $this->isHttps() ? '__Secure-' : '’ ) . $cookieName . ( $this->isHttps() ? '_https' : ‘’ );
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The aim of this PR is to help prevent cookie smuggling. It will modify the 'GetCookieName' functtion by hard coding the prefix ' __Secure-' to each cookie name when 'isHttps()' is true, Apparently the prefix will be recognised and enforced by most browsers (ignored by the older ones).
Description
The raison d'aitre for this PR is contained in the issue # 18608.
This PR will replace the line 1026 of the file 'Config.php', part of the GetCookieName function :
return $cookieName . ( $this->isHttps ? '_https' : '' );
with the amended line:
return ( $this->isHttps() ? '__Secure-' : '’ ) . $cookieName . ( $this->isHttps() ? '_https' : ‘’ );
The amendment is on the QA_5_2 branch and path libraries/Classes
Signed-off-by: martin762 <[martin762green@btinternet.com>