[dokuwiki] Re: CookieMonster

On 12/09/08 09:43, Andy Webber wrote:


Paul Oldham wrote:

[...] My understanding is that
this means that DokuWiki sites may be vulnerable to attacks using the CookieMonster toolkit.
I'm using the 2008-05-05 - has this been fixed more recently or is this something that needs to be addressed? 



Your PHP config (php.ini) should probably have:

session.cookie_secure = 1
session.cookie_httponly = 1

http://php.net/manual/en/session.configuration.php#ini.session.cookie-secure
If you can't change the ini file, then DW should probably use session_set_cookie_params() just before session_start().
It's shared hosting so that's not an option but can do it from .htaccess and that works fine for the ordinary session cookie but when you login another cookie is set (presumably the more important one in this case as I'm assuming it's identifying you as a logged in user) and that's not a session cookie so it's not encrypted by those flags.
I solved this on my other project by setting the "secure" boolean when I did the set_cookie() call if the site was using SSL but I can't see any way of forcing that behaviour via PHP flag setting so it's going to require a tiny DW code change. 

--
Paul
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

Other related posts: