Hello Jochen,
please resend your patch as unified patch (cvs di -u).
marcus
Thursday, June 23, 2005, 2:03:24 AM, you wrote:
> Hi,
> Internet Explorer 6 SP1 supports the cookie attribute "httponly" which
> prevents reading cookies from JavaScript or the like. This can help to
> mitigate XSS session hijacking. Browsers not supporting this cookie
> attribute are not disturbed if it is present.
> AFAIK PHP does not support httponly cookies. So here's a patch that will
> add support for it in PHP4.
> (files ext/session/session.c and ext/session/session_php.h have to be
> changed)
> After you apply the changes (and recompile), you can add a line like
> this in php.ini:
> session.cookie_httponly=1
> It enables httpOnly cookies. Default value ist 0 (off, if line is
> missing).
> /****diff for session.c****/
> bash#diff ./ext/session/session.c ./ext/session/session_with_httponly.c
> 142d141
> < STD_PHP_INI_BOOLEAN("session.cookie_httponly", "0",
> PHP_INI_ALL, OnUpdateBool, cookie_httponly, php_ps_globals,
> ps_globals)
> 857d855
> < #define COOKIE_HTTPONLY "; httponly"
> 911,914d908
> < if (PS(cookie_httponly)) {
> < smart_str_appends(&ncookie, COOKIE_HTTPONLY);
> < }
> <
> 1140c1134
> < /* {{{ proto void session_set_cookie_params(int lifetime [, string
> path [, string domain [, bool secure [, bool httponly]]]])
> ---
>> /* {{{ proto void session_set_cookie_params(int lifetime [, string
>> path [, string domain [, bool secure]]])
> 1144c1138
> < zval **lifetime, **path, **domain, **secure, **httponly;
> ---
>> zval **lifetime, **path, **domain, **secure;
> 1149,1150c1143,1144
> < if (ZEND_NUM_ARGS() < 1 || ZEND_NUM_ARGS() > 5 ||
> < zend_get_parameters_ex(ZEND_NUM_ARGS(), &lifetime,
> &path, &domain, &secure, &httponly) == FAILURE)
> ---
>> if (ZEND_NUM_ARGS() < 1 || ZEND_NUM_ARGS() > 4 ||
>> zend_get_parameters_ex(ZEND_NUM_ARGS(), &lifetime,
>> &path, &domain, &secure) == FAILURE)
> 1167,1170d1160
> < if (ZEND_NUM_ARGS() > 4) {
> < convert_to_long_ex(httponly);
> <
> zend_alter_ini_entry("session.cookie_httponly",
> sizeof("session.cookie_httponly"), Z_BVAL_PP(httponly)?"1":"0", 1,
> PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
> < }
> 1190d1179
> < add_assoc_bool(return_value, "httponly", PS(cookie_httponly));
> /****diff for session_php.h****/
> bash#diff ./ext/session/php_session.h
> ./ext/session/php_session_with_httponly.h
> 106d105
> < zend_bool cookie_httponly;
> ---------------------------
> Keep in mind that the added protection by httpOnly cookies can be
> circumvented by XST-style attacks...
> Hope this is useful....
> Jochen
--
Best regards,
Marcus mailto:[EMAIL PROTECTED]
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
