about
blog
tutorials
TYPO3 security improvement in v4.3: HTTP only cookies
Posted on October 19, 2009 by .
Together with the previously mentioned feature (secure cookie transfer) an additional security enhancement has found its way into TYPO3 Core v4.3:
There's now the possibility to access FE/BE session cookies via HTTP only. With that enabled, it's no longer possible to access these cookies via JavaScript and e.g. retrieve session IDs from them. Current browsers support such declaration and will prevent the JS access to the cookies.
In the past it had been possible for a malicious person to find and exploit a Cross-Site Scripting vulnerability, to get hold of session IDs via JavaScript and to try to authenticate to a TYPO3 installation using these session identifiers.
It is expected that some TER-listed extension might stop working. Therefore, this feature is currently disabled by default. Nonetheless, it will be activated by default at a later point in time. Therefore, you might want to test your installation already today:
To enable and use this new security feature, put
$TYPO3_CONF_VARS['SYS']['cookieHttpOnly'] = true;
into your localconf.php file!
- 2 Comment(s)
Which extension?
Is there already a list of extensions which are known not to work with this configuration?
Re: Which extension?
I assume that there's no such list currently and even not a single extension known to be non-working.
It's just that with >3k extensions in TER chances are high to find an extension that depends on JS access on session cookies.
So testing the feature now with a custom TYPO3 setup is still a good idea.