stable
Clone or download
Implement Same-Site cookie and cookie prefixes protections for the Tuleap session cookie
This contribution adds two relatively new protections on the cookie used by Tuleap to identify an authenticated user: * Same-Site cookie [1]: the goal of this protection is to prevent browsers to send cookies when doing cross-site requests. It adds a new level of protection against CSRF even if the current state of the Tuleap codebase most of the form actions can be done indifferently with GET or POST requests. It is however a nice addition for actions done in through the REST API. To keep an usable application, we use Same-Site cookie in the Lax mode. Also note that using the Same-Site cookie protection helps browsers mitigating speculative side-channel attack techniques [2]. Support by browsers is currently limited to Chrome but support for Firefox is on the way [3]. * Cookie prefixes [4]: the goal of this protection is to prevent cookies injection and malicious manipulations. TL;DR: __Secure- prefix forces the cookie to be used over an encrypted connection even if for whatever reason the Secure attribute is removed by a malicious actor. __Host- prefix adds the same protection than the __Secure- prefix plus it protects against subdomains setting or reading cookies set for the main domain. Cookies prefixes are supported by Chrome and Firefox. This is part of request #10979: Implement Same-Site cookie and cookie prefixes protections Another contribution will add similar protection whenever possible for the cookie used for PHP session. Some changes are made to the tests framework to avoid forcing PHP to send data and then preventing to test headers. All existing users sessions are removed since the associated cookies will not be valid anymore. [1] https://tools.ietf.org/html/draft-west-first-party-cookies-07 [2] https://www.chromium.org/Home/chromium-security/ssca [3] https://bugzilla.mozilla.org/show_bug.cgi?id=795346 [4] https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00 Change-Id: I7a099e96dd6bc60798c7ad2a4cba22e27be187c0
Modified Files
| Name | ||||
|---|---|---|---|---|
| M | plugins/tests/include/TestsPluginReporter.class.php | +2 | −2 | Go to diff View file |
| M | plugins/tests/include/simpletest/extensions/junit_xml_reporter.php | +6 | −6 | Go to diff View file |
| M | plugins/webdav/tests/WebDAVFRSReleaseTest.php | +6 | −5 | Go to diff View file |
| M | src/common/REST/UserManager.class.php | +1 | −1 | Go to diff View file |
| M | src/common/include/Codendi_Request.class.php | +5 | −14 | Go to diff View file |
| M | src/common/include/CookieManager.class.php | +77 | −66 | Go to diff View file |
| M | src/common/include/Response.class.php | +1 | −11 | Go to diff View file |
| M | src/common/user/UserManager.class.php | +1 | −1 | Go to diff View file |
| M | src/composer.json | +2 | −1 | Go to diff View file |
| M | src/composer.lock | +78 | −1 | Go to diff View file |
| A | src/db/mysql/updates/2018/201801221530_remove_unusable_session.php | +44 | −0 | Go to diff View file |
| M | src/etc/local.inc.dist | +2 | −2 | Go to diff View file |
| M | tests/selenium/tests/SeedCookiesTest.php | +2 | −2 | Go to diff View file |
| M | tests/simpletest/common/include/CookieManagerTest.php | +56 | −30 | Go to diff View file |
| M | tests/simpletest/common/user/UserManagerTest.php | +3 | −4 | Go to diff View file |