•  
      request #10979 Implement Same-Site cookie and cookie prefixes protections
    Infos
    #10979
    Thomas Gerbet (tgerbet)
    2018-02-01 16:50
    2018-01-05 17:14
    10655
    Details
    Implement Same-Site cookie and cookie prefixes protections
    Tuleap should implement two new cookies protection whenever possible:
    * Same-Site cookie [1]: it adds a new layer of protection against CSRF and XSSI. Currently only supported by Chrome, support is coming into Firefox.
    * Cookie prefixes [2]: it protects against cookie injections. Supported by Chrome and Firefox. Whenever possible Tuleap should use the __Host- prefix.


    [1] https://tools.ietf.org/html/draft-west-first-party-cookies-07
    [2] https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00
    Empty
    Other
    Empty
    Empty
    Empty
    Stage
    Empty
    Closed
    2018-02-01
    Attachments
    Empty
    References

    Follow-ups

    • User avatar
      gerrit #10451 integrated into Tuleap 9.17.99.19

      • Status changed from Under review to Closed
      • Connected artifacts
      • Close date set to 2018-02-01
    • User avatar
      Last contribution is under review: gerrit #10451.
    • User avatar

      gerrit #10409 integrated into Tuleap 9.16.99.146

    • User avatar
      For information I have opened a bug in the PHP bug tracker [1] about the characters that can be used in the session name since the current limitations (only alphanum chars) prevent the usage of cookie prefixes on the PHP session cookie.
      I have made functional tests on PHP 5.6 and 7.2 and it seems that the - and _ chars can safely be used. A quick glance over the PHP source code also does not seem to show any particular obvious issue.



      [1] https://bugs.php.net/bug.php?id=75883
    • User avatar
      gerrit #10427 integrated into Tuleap 9.16.99.141
    • User avatar

      gerrit #10420 that fix issue with installation with empty sys_https_host integrated in Tuleap 9.16.99.130

    • User avatar
      A patch to set the SameCookie flag on PHP session cookie is under review: gerrit #10409.

      • Status changed from Reopen to Under review
    • User avatar
      Reopening, I will also deal with the session cookie.

      • Status changed from Closed to Reopen
      • Close date cleared
    • User avatar
      gerrit #10277 integrated into Tuleap 9.16.99.117

      • Status changed from Under implementation to Closed
      • Connected artifacts
      • Close date set to 2018-01-23
    • User avatar
      request #10978 has been closed so a first contribution is available for review: gerrit #10277.
    • User avatar
      Also note that, as a first step, this contribution only impacts cookies set directly by Tuleap. Other cookies such as the ones set by PHP to maintain a session will be dealt with in a later contribution.
    • User avatar
      Implementation will use a PHP 5.6 library so it will need request #10978 to be closed.

      • Original Submission
      • Status changed from New to Under implementation