Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #10979 Implement Same-Site cookie and cookie prefixes protections
    Actions
    Infos
    #10979
    Thomas Gerbet (tgerbet)
    2018-02-01 16:50
    2018-01-05 17:14
    11313
    Details
    Implement Same-Site cookie and cookie prefixes protections
    Tuleap should implement two new cookies protection whenever possible:
    * Same-Site cookie [1]: it adds a new layer of protection against CSRF and XSSI. Currently only supported by Chrome, support is coming into Firefox.
    * Cookie prefixes [2]: it protects against cookie injections. Supported by Chrome and Firefox. Whenever possible Tuleap should use the __Host- prefix.


    [1] https://tools.ietf.org/html/draft-west-first-party-cookies-07
    [2] https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00
    Other
    Empty
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2018-02-01
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #10877 Tuleap Releases 9.17 Delivered 2018-31-01 14:03 Manuel Vacelet (vaceletm)
    rel #10968 Tuleap Releases 9.18 Delivered 2018-07-03 14:19 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #10979

    Artifact Tracker v5

    request #18377 Regenerate session ID when users sign in

    Git commit

    tuleap/tuleap/stable

    Implement Same-Site cookie and cookie prefixes protections for the Tuleap session cookie e8da2b2cce
    User avatar Thomas Gerbet (tgerbet) , 2018-01-22 16:12
    Can not login on HTTP only instances or instances with an empty sys_https_host setting e9f1ee602f
    User avatar Thomas Gerbet (tgerbet) , 2018-01-24 09:12
    Remove cookie domain configuration option 5bb3d5d64b
    User avatar Thomas Gerbet (tgerbet) , 2018-01-26 12:06
    Implement Same-Site cookie protection for PHP session cookie bc0ad09df6
    User avatar Thomas Gerbet (tgerbet) , 2018-01-26 14:50
    Implement cookie prefixe protection for PHP session cookie 6a86d7c861
    User avatar Thomas Gerbet (tgerbet) , 2018-01-31 14:38
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2018-01-29 10:26
    For information I have opened a bug in the PHP bug tracker [1] about the characters that can be used in the session name since the current limitations (only alphanum chars) prevent the usage of cookie prefixes on the PHP session cookie.
    I have made functional tests on PHP 5.6 and 7.2 and it seems that the - and _ chars can safely be used. A quick glance over the PHP source code also does not seem to show any particular obvious issue.



    [1] https://bugs.php.net/bug.php?id=75883
    User avatar
    Thomas Gerbet (tgerbet)2018-01-23 09:48
    Reopening, I will also deal with the session cookie.
    • Status changed from Closed to Reopen
    • Close date cleared
    User avatar
    Thomas Gerbet (tgerbet)2018-01-05 17:24
    Also note that, as a first step, this contribution only impacts cookies set directly by Tuleap. Other cookies such as the ones set by PHP to maintain a session will be dealt with in a later contribution.
    User avatar
    Thomas Gerbet (tgerbet)2018-01-05 17:19
    Implementation will use a PHP 5.6 library so it will need request #10978 to be closed.
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Status changed from New to Under implementation