[PHP-DEV] HTTP-Only Patch
by Scott MacVicar other posts by this author
Aug 7 2006 7:54AM messages near this date
#38369 [Opn->WFx]: Status: header incorrectly handled in CGI/FastCGI mode
|
Re: [PHP-DEV] HTTP-Only Patch
Hi,
After we recently experienced an XSS through what can only be described
as IE's shocking attempt at determining the mime type from the data and
ignoring what the server sent we decided to look into implementing
HTTP-only cookies. We know it's not a solution for preventing XSS, but
adding this would complicate the process for those wanting to exploit
any discovered problems before they are rectified.
HTTP-only is a feature in IE 6 SP1, Opera, Safari and KDE to allow the
setting of cookies that will only be sent via HTTP headers and never
accessible via client side scripting.
Ref: http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
I�ve added the flags for setcookie and setrawcookie. There is also
support for the session system as well included.
The attached patches are for PHP 5.2 and HEAD.
Regards,
Scott
Thread:
Scott MacVicar
Ilia Alshanetsky
Steve
Scott M
Steve
Richard Lynch
Brian Moon
Ilia Alshanetsky
|
