Thanks to Werdna’s implementation of support, and Tim’s mass upgrade of our older PHP installations, I’ve today enabled the use of HttpOnly cookies on the Wikimedia wikis for our login session data.
“What’s that,” I hear you say, “and why do I want it?”
This provides protection against certain kinds of security vulnerabilities — namely, XSS attacks which steal authenticated session and long-term login token cookies.
HttpOnly doesn’t fix XSS, not by a long shot, but it does reduce what an attacker can do; particularly nice when we’re soon going to start using global login cookies which will allow a unified account to continue a login session across multiple wikis on different domains.
Unfortunately, this marker isn’t standard; it’s an extension which Microsoft added for Internet Explorer in 6.0 SP1, but support has been slowly creeping into other browsers, finally hitting Firefox somewhere in the 2.0 patch cycle while nobody was looking.
Browsers I tested that currently support HttpOnly cookies:
- IE/Win 6 SP1 or 7
- Firefox 184.108.40.206 or later
- Opera 9.50 beta
- Konqueror (3.4?)
- Safari 3.1
- Opera 9.27 (current non-Beta release)
- Old scary browsers like IE for Mac and Netscape 4 ;)
There’s a rumor that some versions of WebTV fail altogether when the cookies are marked this way, but I have no way to confirm or deny that yet.
Update 2008-05-01: Mac IE turns out to eat HttpOnly cookies…. sometimes… when the moon is just right. :) Added a browser blacklist, so we feed Mac IE regular cookies. Other browsers are still given the benefit of the doubt.