Vulnerability due to insecure default values for session.cookie_secure and session.cookie_httponly

[etkaar]

Description

Dear colleagues,

it seems that the default values for the SECURE and HTTPONLY flags of cookies, especially for the PHP session cookie, (PHPSESSID) are not set to true. This opens a hidden vulnerability for serious XSS attacks.

Developers which use setcookie() and explicitly define $secure and $httponly might not be aware (they have done their work and feel safe), that they additionally have to explicitly set these values in session_set_cookie_params() to protect the PHPSESSID cookie from being stolen due to trivial XSS attacks:

session_set_cookie_params(['secure' => true, 'httponly' => true]);

I kindly ask you to confirm this issue and move to secure-per-default for this.

Kind Regards,
etkaar

PHP Version

PHP 7-8

Operating System

No response

---

See also: #13720 (successful XSS reported)

[cmb69]

Indeed, session.cookie_secure and session.cookie_httponly default to off. I don't consider this to be a bug, though, especially since there is explicit documentation about securing session INI settings.

I'm not against changing the defaults for the next minor version, though.

[etkaar]

Thank you for your answer!

It might be not a bug, but I would consider defaulting to an unsafe value as a vulnerability, since there is simply no reason for such an unsafe-per-default scheme. In case developers want the PHPSESSID cookie – which is the primary target of XSS attacks – to be accessible via JavaScript (even if I cannot see any use case for that), they know how to enable that.

[David263]

At what version has the default security option been set for PHPSESSID?

[David263]

I tested session_set_cookie_params(['secure' => true, 'httponly' => true]); in PHP 7.4.13 and found that it fails to set PHPSESSID to 'secure'.

[KapitanOczywisty]

I'm not against changing the defaults for the next minor version, though.

Now ssl is free and easy to use, and there is no real reason to access PHPSESSID from JS, so both probably should be changed for On. Also default values are more than a decade old.

[David263]

I'm not sure I agree, Kapitan. I'm not familiar with the JavaScript attack vector. But being able to copy the value of PHPSESSID is useful in JavaScript, so that JavaScript can similarly remember session data. But the actual contents of a session array must not be readable from JavaScript, since it is server-side data, regardless of the 'secure' option.

[KapitanOczywisty]

But being able to copy the value of PHPSESSID is useful in JavaScript, so that JavaScript can similarly remember session data.

This is very dangerous since attacker by injecting own JS code (e.g. compromised advert, extension or XSS) can get full access to user session. JS should be using sessionStorage or localStorage for that, and probably keep only low-value informations like dark mode etc. Anything sensitive should be kept on server-side.

But the actual contents of a session array must not be readable from JavaScript, since it is server-side data, regardless of the 'secure' option.

It never is.