ID: 40778 Updated by: [EMAIL PROTECTED] Reported By: mbowie at buzmo dot com Status: Open -Bug Type: Session related +Bug Type: Documentation problem Operating System: FreeBSD 6.0R PHP Version: 5.2.1 New Comment:
Secure OPTIONAL. The Secure attribute (with no value) directs the user agent to use only (unspecified) secure means to contact the origin server whenever it sends back this cookie, to protect the confidentially and authenticity of the information in the cookie. The user agent (possibly with user interaction) MAY determine what level of security it considers appropriate for "secure" cookies. The Secure attribute should be considered security advice from the server to the user agent, indicating that it is in the session's interest to protect the cookie contents. When it sends a "secure" cookie back to a server, the user agent SHOULD use no less than the same level of security as was used when it received the cookie from the server. http://www.faqs.org/rfcs/rfc2965.html Previous Comments: ------------------------------------------------------------------------ [2007-03-11 22:20:48] mbowie at buzmo dot com Description: ------------ Cookies sent via the set_cookie method or via PHP's session module with the secure parameter set to true can be sent via HTTP. http://php.net/set_cookie has notes against the secure flag which states : "Indicates that the cookie should only be transmitted over a secure HTTPS connection. When set to TRUE, the cookie will only be set if a secure connection exists. The default is FALSE.". This does not appear to be the case. It's possible that this is by design, but if so, perhaps it's worth noting on the documentation at the secure parameter only refers to the browser's activities, not those of the webserver. The upshot of this is that an attacker may pickup a visitor's cookie by sniffing HTTP traffic on the wire and craft their own cookie in order to spoof the visitor's identity on the secure side. The same thing happens on 4.3.9, 5.2.0 and 5.2.1; all of which are compiled via the FreeBSD ports tree and are running on various flavors of FreeBSD. Reproduce code: --------------- $domain = 'setme'; setcookie('setcookie', 'insecure', time()+3600, '/', $domain, true); session_name('session_set_cookie_params'); session_set_cookie_params( time()+3600, '/', $domain, true ); session_start(); Expected result: ---------------- No cookies should be sent to the browser unless the page is requested via an SSL encrypted channel. Actual result: -------------- Cookie headers are sent regardless of whether the page is requested via HTTP or HTTPS. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=40778&edit=1