Skip to:

Opened 13 years ago

Closed 13 years ago

Last modified 13 years ago

#958 closed defect (bug) (fixed)

bbPress should implement HttpOnly Cookies to slow down XSS

Reported by: _ck_ Owned by:
Milestone: 1.0 Priority: normal
Severity: normal Version:
Component: Back-end Keywords: security, cookies


While it's far from perfect and there are complex ways around it, HttpOnly Cookies are supported now by all major browsers and will prevent many kinds of XSS attacks.

HttpOnly Cookies simply prevent cookies from being accessed via javascript's document.cookie so an admin's cookie cannot be easily forwarded to another domain via injected javascript.

The technique is this simple:

if (PHP_VERSION < 5.2) {
@setcookie( $name, $value, $expires, $path, $domain. '; HttpOnly' );
} else {
@setcookie( $name, $value, $expires, $path, $domain, NULL, TRUE );

Change History (6)

#2 @fel64
13 years ago

I was waiting for one of these after Coding Horror featured it. :D It seems good, but I don't feel qualified to comment.

#3 @_ck_
13 years ago

It's a wonderfully simple concept and is really a matter of just appending `.'; HttpOnly' to the cookie domain, regardless of official PHP support or not.

The problem is while all modern browsers support it (and doesn't break any old browsers) their support is imperfect and needs improvement. But that will be fixed over time and then users will have robust protection under WordPress/bbPress. Even with the current state of affairs it does add some extra security.

#4 @sambauers
13 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in [BP126] - this may break cookie integration with WordPress < [WP8811]

#5 @(none)
13 years ago

  • Milestone 1.0-beta deleted

Milestone 1.0-beta deleted

#6 @sambauers
13 years ago

  • Milestone set to 1.0
Note: See TracTickets for help on using tickets.