TYPO3 security improvement in v4.3: Secure cookie transfer

Posted on October 16, 2009 by Marcus.

If you are running a TYPO3 installation that makes use of SSL, following new feature will enhance your website's security (starting with upcoming TYPO3 version 4.3):

You probably know that the HTTP protocol is stateless and therefore sessions try to solve that "problem". TYPO3 uses cookies to exchange session identifiers between server and client.

Currently, if you are running e.g. the TYPO3 Backend (BE) with SSL (HTTPS) enabled and call the BE, the server will issue a cookie with the session ID. This cookie will be transferred over an secured/encrypted channel that prevents an eavesdropper to read the session ID from the cookie. If you call the BE again using standard (insecure) HTTP, your client will transfer the same cookie with the session ID exposed in plain-text for everyone who is sniffing your traffic.


Now, with feature #7461 ("Transfer cookies via SSL only whenever possible") implemented in upcoming TYPO3 v4.3, you can decide if TYPO3 should transfer created cookies only over a secured/encrypted channel or if cookies, initially issued by the server over a secured/encrypted channel should again only be transferred (by the client a.k.a. your browser) over a secured/encrypted channel.

This is done by setting a specific cookie declaration that current browsers understand and therefore will apply to your client-server traffic.

To use that new feature, please adjust a new parameter $TYPO3_CONF_VARS['SYS']['cookieSecure'] (through localconf.php file):

  • integer "0" - current behaviour, transfer of cookies over any channel (default)
  • integer "1" - server creates and transfers cookies only when accessed over a secured/encrypted channel; client is asked to send the cookie only over secured/encrypted channel (this setting enforces SSL)
  • integer "2" - server will always create and transfer the cookie no matter which channel is used; if accessed over a secured/encrypted channel, the cookie will only be exchanged in an encrypted way.

 

Even if e.g. your TYPO3 Backend is accessible over SSL only, you won't be safe from cookies with session IDs transferred in an insecure manner and exposed SIDs as plain-text. So, whenever using SSL with TYPO3, please make sure to be familiar with that new feature and its options.

 

Permalink | Trackback link
Tags:  TYPO3 Security Blog
Views: 0
  •  
  • 0 Comment(s)
  •  

Your comment

back

Categories

  • advisory(7)
  • book(1)
  • [-]database(1)
  • exploit(1)
  • hacks(2)
  • others(6)
  • PHP(1)
  • TYPO3(22)

Tag cloud