From: mbowie at buzmo dot com Operating system: FreeBSD 6.0R PHP version: 5.2.1 PHP Bug Type: Session related Bug description: Cookies with secure parameter sent via HTTP
Description: ------------ Cookies sent via the set_cookie method or via PHP's session module with the secure parameter set to true can be sent via HTTP. http://php.net/set_cookie has notes against the secure flag which states : "Indicates that the cookie should only be transmitted over a secure HTTPS connection. When set to TRUE, the cookie will only be set if a secure connection exists. The default is FALSE.". This does not appear to be the case. It's possible that this is by design, but if so, perhaps it's worth noting on the documentation at the secure parameter only refers to the browser's activities, not those of the webserver. The upshot of this is that an attacker may pickup a visitor's cookie by sniffing HTTP traffic on the wire and craft their own cookie in order to spoof the visitor's identity on the secure side. The same thing happens on 4.3.9, 5.2.0 and 5.2.1; all of which are compiled via the FreeBSD ports tree and are running on various flavors of FreeBSD. Reproduce code: --------------- $domain = 'setme'; setcookie('setcookie', 'insecure', time()+3600, '/', $domain, true); session_name('session_set_cookie_params'); session_set_cookie_params( time()+3600, '/', $domain, true ); session_start(); Expected result: ---------------- No cookies should be sent to the browser unless the page is requested via an SSL encrypted channel. Actual result: -------------- Cookie headers are sent regardless of whether the page is requested via HTTP or HTTPS. -- Edit bug report at http://bugs.php.net/?id=40778&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=40778&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=40778&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=40778&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=40778&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=40778&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=40778&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=40778&r=needscript Try newer version: http://bugs.php.net/fix.php?id=40778&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=40778&r=support Expected behavior: http://bugs.php.net/fix.php?id=40778&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=40778&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=40778&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=40778&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=40778&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=40778&r=dst IIS Stability: http://bugs.php.net/fix.php?id=40778&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=40778&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=40778&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=40778&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=40778&r=mysqlcfg
