•  
      request #10979 Implement Same-Site cookie and cookie prefixes protections
    Infos
    #10979
    Thomas Gerbet (tgerbet)
    2018-02-01 16:50
    2018-01-05 17:14
    11316
    Details
    Implement Same-Site cookie and cookie prefixes protections
    Tuleap should implement two new cookies protection whenever possible:
    * Same-Site cookie [1]: it adds a new layer of protection against CSRF and XSSI. Currently only supported by Chrome, support is coming into Firefox.
    * Cookie prefixes [2]: it protects against cookie injections. Supported by Chrome and Firefox. Whenever possible Tuleap should use the __Host- prefix.


    [1] https://tools.ietf.org/html/draft-west-first-party-cookies-07
    [2] https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00
    Other
    Empty
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2018-02-01
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2018-01-29 10:26
    For information I have opened a bug in the PHP bug tracker [1] about the characters that can be used in the session name since the current limitations (only alphanum chars) prevent the usage of cookie prefixes on the PHP session cookie.
    I have made functional tests on PHP 5.6 and 7.2 and it seems that the - and _ chars can safely be used. A quick glance over the PHP source code also does not seem to show any particular obvious issue.



    [1] https://bugs.php.net/bug.php?id=75883
    User avatar
    Thomas Gerbet (tgerbet)2018-01-23 09:48
    Reopening, I will also deal with the session cookie.

    • Status changed from Closed to Reopen
    • Close date cleared
    User avatar
    Thomas Gerbet (tgerbet)2018-01-05 17:24
    Also note that, as a first step, this contribution only impacts cookies set directly by Tuleap. Other cookies such as the ones set by PHP to maintain a session will be dealt with in a later contribution.
    User avatar
    Thomas Gerbet (tgerbet)2018-01-05 17:19
    Implementation will use a PHP 5.6 library so it will need request #10978 to be closed.

    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    • Status changed from New to Under implementation