[dokuwiki] Re: CookieMonster

Paul Oldham wrote:
This article in The Register[1] drew my attention to a possible security flaw where secure web sites don't secure their cookies thus allowing "sidejacking" attacks. I updated one of my other projects yesterday which was affected by this.
Today I was logging into our Wiki, which is SSL encrypted, and I took a look at the cookies and I see the cookies DokuWiki is setting are sent over any connection not just encrypted ones. My understanding is that this means that DokuWiki sites may be vulnerable to attacks using the CookieMonster toolkit.
I'm using the 2008-05-05 - has this been fixed more recently or is this something that needs to be addressed? 



Your PHP config (php.ini) should probably have:

session.cookie_secure = 1
session.cookie_httponly = 1

http://php.net/manual/en/session.configuration.php#ini.session.cookie-secure
If you can't change the ini file, then DW should probably use session_set_cookie_params() just before session_start(). 
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

Other related posts: