New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cookie security #3525

Open
GinoHereIam opened this Issue Aug 27, 2016 · 12 comments

Comments

4 participants
@GinoHereIam
Copy link

GinoHereIam commented Aug 27, 2016

  • Gogs version (or commit ref): 0.9.83.0816
  • Git version: 2.7.4
  • Operating system: CentOS
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • SQLite
  • Can you reproduce the bug at https://try.gogs.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist:

Description

Cookie security, may it be able that you can set the cookies "httponly secure"? Right now I don't see a possibility to overwrite the cookie attributes.
Right now I modify the .htaccess: Header edit Set-Cookie ^(.*)$ "$1; HTTPOnly; Secure"

Thanks
Gino
...

@Unknwon

This comment has been minimized.

Copy link
Member

Unknwon commented Aug 27, 2016

set the cookies

Which cookie?

@GinoHereIam

This comment has been minimized.

Copy link
Author

GinoHereIam commented Aug 27, 2016

I mean generally all cookies which are set.
When I tested my website with the new security check tool from mozilla, it figured out that all header securities were missing. https://observatory.mozilla.org
Though, I didn't see any issue ticket here about cookie headers. That's why I did it put up here.

@Unknwon

This comment has been minimized.

Copy link
Member

Unknwon commented Aug 27, 2016

Any real example you can attack Gogs site with current cookie?

@GinoHereIam

This comment has been minimized.

Copy link
Author

GinoHereIam commented Aug 27, 2016

No, but why should be there possibility to give this option?
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

It shouldn't be hard to set two extra header options.

@Unknwon

This comment has been minimized.

Copy link
Member

Unknwon commented Aug 27, 2016

You can enable this for session data yourself: https://github.com/gogits/gogs/blob/master/conf/app.ini#L243

@Unknwon

This comment has been minimized.

Copy link
Member

Unknwon commented Aug 27, 2016

OK, found some inconsistency cross the app, will fix all at once but not now.

@silverwind

This comment has been minimized.

Copy link
Contributor

silverwind commented Aug 28, 2016

Regarding cookie security attributes, there are these three attributes right now:

  • Secure - only transmit cookie over HTTPS
  • HttpOnly - hides the cookie from JavaScript
  • SameSite=strict - declare the cookie as first-party only

I think both HttpOnly and SameSite=strict are generally good ideas. Secure could be left out except when configured for pure HTTPS.

Unknwon added a commit that referenced this issue Feb 14, 2017

@Unknwon Unknwon removed this from the 0.10.0 milestone Feb 14, 2017

@Unknwon

This comment has been minimized.

Copy link
Member

Unknwon commented Feb 14, 2017

Enforced HttpOnly and add config option [security] COOKIE_SECURE for Secure.

However, SameSite seems not yet supported in Go: golang/go#15867

@ghost

This comment has been minimized.

Copy link

ghost commented Sep 8, 2017

@Unknwon What's completed and what is still needs to be done? I'd be happy to do it!

@Unknwon

This comment has been minimized.

Copy link
Member

Unknwon commented Oct 13, 2017

@fr0zenbits thanks for asking but the part is not done in the core library in Go language, not on application layer I think... so all of us would have to wait.

@silverwind silverwind referenced this issue Dec 23, 2018

Open

SameSite Setting for Cookies #5583

2 of 7 tasks complete
@jhabdas

This comment has been minimized.

Copy link

jhabdas commented Feb 16, 2019

Curious to know if there's any way I can help push this forward. Please LMK. Thanks.

@Unknwon

This comment has been minimized.

Copy link
Member

Unknwon commented Feb 16, 2019

According to golang/go#15867 (comment), the Go seems to have "SameSite" support since Go 1.11.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment