[PHP-DEV] httpOnly Cookies [tiny enhancement]

Wed, 22 Jun 2005 17:04:03 -0700 

Hi,

Internet Explorer 6 SP1 supports the cookie attribute "httponly" which
prevents reading cookies from JavaScript or the like. This can help to
mitigate XSS session hijacking. Browsers not supporting this cookie
attribute are not disturbed if it is present.

AFAIK PHP does not support httponly cookies. So here's a patch that will
add support for it in PHP4. 
(files ext/session/session.c and ext/session/session_php.h have to be
changed)

After you apply the changes (and recompile), you can add a line like
this in php.ini:

session.cookie_httponly=1

It enables httpOnly cookies. Default value ist 0 (off, if line is
missing).


/****diff for session.c****/
bash#diff ./ext/session/session.c ./ext/session/session_with_httponly.c

142d141
<       STD_PHP_INI_BOOLEAN("session.cookie_httponly",    "0",          
PHP_INI_ALL, OnUpdateBool,   cookie_httponly,      php_ps_globals,    
ps_globals)
857d855
< #define COOKIE_HTTPONLY "; httponly"
911,914d908
<       if (PS(cookie_httponly)) {
<               smart_str_appends(&ncookie, COOKIE_HTTPONLY);
<       }
<
1140c1134
< /* {{{ proto void session_set_cookie_params(int lifetime [, string path [, 
string domain [, bool secure [, bool httponly]]]])
---
> /* {{{ proto void session_set_cookie_params(int lifetime [, string path [, 
> string domain [, bool secure]]])
1144c1138
<       zval **lifetime, **path, **domain, **secure, **httponly;
---
>       zval **lifetime, **path, **domain, **secure;
1149,1150c1143,1144
<       if (ZEND_NUM_ARGS() < 1 || ZEND_NUM_ARGS() > 5 ||
<               zend_get_parameters_ex(ZEND_NUM_ARGS(), &lifetime, &path, 
&domain, &secure, &httponly) == FAILURE)
---
>       if (ZEND_NUM_ARGS() < 1 || ZEND_NUM_ARGS() > 4 ||
>               zend_get_parameters_ex(ZEND_NUM_ARGS(), &lifetime, &path, 
> &domain, &secure) == FAILURE)
1167,1170d1160
<                       if (ZEND_NUM_ARGS() > 4) {
<                               convert_to_long_ex(httponly);
<                               zend_alter_ini_entry("session.cookie_httponly", 
sizeof("session.cookie_httponly"), Z_BVAL_PP(httponly)?"1":"0", 1, 
PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
<                       }
1190d1179
<       add_assoc_bool(return_value, "httponly", PS(cookie_httponly));




/****diff for session_php.h****/
bash#diff ./ext/session/php_session.h   
./ext/session/php_session_with_httponly.h

106d105
<       zend_bool  cookie_httponly;


---------------------------

Keep in mind that the added protection by httpOnly cookies can be circumvented 
by XST-style attacks...

Hope this is useful....



                                                        Jochen

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to