Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[FEATURE] Implement SameSite option for TYPO3 cookies
This change introduces a new security option for setting the SameSite option to all cookies sent by TYPO3 Core. Namely: - Frontend User Sessions ("lax" by default) - Backend User Sessions ("strict" by default) - Install Tool Sessions ("strict", none-configurable) - Last Login Provider in Backend ("strict", non-configurable) This means that these can only be accessed by scripts and requests by the same site, and not by any third-party scripts. Since we're talking about actual cookies for a user, and not ads-related or third-party login-dependant cookies, the default options fit just perfectly. All modern browsers except Internet Explorer respect this option to be set. Please note that Firefox and Chrome will have "SameSite=lax" set in Q1/2020 by default if NO SameSite option is set at all. This change allows to configure this. Backend and Frontend User Cookies can be configured to "strict", "lax" or "none" (= same as before), whereas "none" only works for secure connections (= HTTPS). If "strict" is in place, security via CSRF is not needed anymore, and can be dropped in the future. Resolves: #90351 Releases: master, 9.5, 8.7 Change-Id: I8095e2a552faa9d1fd4fa7855297302a9ec6a75f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63183 Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de> Tested-by: TYPO3com <noreply@typo3.com> Tested-by: Georg Ringer <georg.ringer@gmail.com> Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de> Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
- Loading branch information
1 parent
ac17522
commit de29dc2
Showing
9 changed files
with
227 additions
and
59 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
60 changes: 60 additions & 0 deletions
60
...Changelog/8.7.x/Feature-90351-ConfigureTYPO3-shippedCookiesWithSameSiteFlag.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
.. include:: ../../Includes.txt | ||
|
||
==================================================================== | ||
Feature: #90351 - Configure TYPO3-shipped cookies with SameSite flag | ||
==================================================================== | ||
|
||
See :issue:`90351` | ||
|
||
Description | ||
=========== | ||
|
||
TYPO3 Core sends four cookies set by PHP to the browser when a session is requested: | ||
|
||
- fe_typo_user - used to identify a session ID when logged-in to the TYPO3 Frontend | ||
- be_typo_user - used to identify a backend session when a Backend User logged in to TYPO3 Backend or Frontend | ||
- Typo3InstallTool - used to validate a session for the System Maintenance Area / "Install Tool" | ||
- be_lastLoginProvider - stores information about the last login provider when logging into TYPO3 Backend | ||
|
||
All modern wide-spread browsers (Mozilla Firefox, Chromium-based Browsers such as Google Chrome, Safari, Microsoft Edge) support sending cookies with an additional flag called "SameSite" which | ||
defines the visibility of a cookie when used in other scripts or | ||
iframes such as a YouTube video embedded into a site. The same site | ||
flag defines whether to send such information to these "third-party | ||
sites". | ||
|
||
Starting with Google Chrome 80 (expected in February 2020), the browser treats any cookie without having the SameSite flag sent to | ||
be the same as "lax". | ||
|
||
TYPO3 now supports the configuration of this cookie for Frontend- | ||
and Backend users. For the install Tool and lastLoginProvider | ||
the cookies are now always sent with the "strict" flag set. | ||
|
||
SameSite enhances privacy for every visitor or editor of your | ||
TYPO3 installation. | ||
|
||
Read more about SameSite cookies on: https://web.dev/samesite-cookies-explained/ | ||
|
||
|
||
Impact | ||
====== | ||
|
||
All cookies sent by TYPO3 Core now send the SameSite flag by default, whereas TYPO3 Frontend sends the SameSite flag "lax", | ||
and all other cookies are sent via "strict". | ||
|
||
The cookies for Frontend User Sessions can be configured via | ||
`$GLOBALS[TYPO3_CONF_VARS][FE][cookieSameSite]` to be either | ||
"strict", "lax" or "none". | ||
|
||
The cookies for Backend User Sessions can be configured via | ||
`$GLOBALS[TYPO3_CONF_VARS][BE][cookieSameSite]` to be either | ||
"strict", "lax" or "none". | ||
|
||
Please note that "none" only works when running the site via HTTPS. | ||
|
||
Older browsers without SameSite support do not consider evaluating | ||
the SameSite flag will behave as before. | ||
|
||
Both settings can be configured in the Install Tool / Maintenance | ||
Area Settings module. | ||
|
||
.. index:: LocalConfiguration, ext:core |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.