Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

stable

Clone or download

Read-only

Implement Same-Site cookie protection for PHP session cookie

Download Browse

This is a follow-up contribution to commit e8da2b2ccea519a0593d33f604f31037d805dc92. Only Same-Site cookie protection is implemented. PHP documentation explicitely say that the session name should contain only alphanumeric characters [1] which prevent us to use the cookie prefix protection. However, PHP does not seem to prevent the use of the char - and _, a deep dive into PHP internals is needed to understand why this warning is present in the documentation before using the cookie prefix protection. This is part of request #10979: Implement Same-Site cookie and cookie prefixes protections [1] https://secure.php.net/manual/en/function.session-name.php Change-Id: I65c3f0eae9ff67bd183e2b1fb5c6150355780d80

+35 −28
Thomas Gerbet (tgerbet) 2018-01-23 12:14
Thomas Gerbet (tgerbet) 2018-01-26 14:50
bc0ad09df6ab8fbe81a72d1fab1cbcb44abf39d1
3b04a55b1d7a999cfeba1ace4a0884fcb47d6f79
git #tuleap/stable/bc0ad09df6ab8fbe81a72d1fab1cbcb44abf39d1

Modified Files

Side by side diff
Inline diff
Name
M src/common/include/CookieManager.class.php +3 −13 Go to diff View file
M src/common/include/LoaderScheduler.php +2 −5 Go to diff View file
M src/common/session/PHP_Session.class.php +22 −10 Go to diff View file
M tests/simpletest/common/include/CookieManagerTest.php +8 −0 Go to diff View file