Open staabm opened 7 years ago
aidantwoods
commented
7 years ago Wouldnt it make sense to detect whether sessions are handled via cookies and if so add the session cookies name to the protectedCookies list?
I like the idea here :D
So the suggestion is to poll session_name and use the result from that as a protected cookie name, alongside the existing names and substrings?
staabm
commented
7 years ago Exactly. I would check before whether the session will be cookie based
staabm
commented
7 years ago See session.use_cookies on http://php.net/manual/en/session.configuration.php
aidantwoods
commented
7 years ago Yup, I'll take a look at doing that – cheers for the links.
In-fact, if a session isn't cookie based, I wonder whether SecureHeaders should say something to encourage use of cookies to allow better protection methods by the browser (and also so the application doesn't leak the SID on navigation if an insufficient referrer policy is set).
Though, since 2.0 the default header set will issue a referrer policy to protect that leakiness on navigation, still might be worth the added sanity check if we're already polling the ini for the cookie name and other session info.
aidantwoods
commented
7 years ago Oops I left this a while longer than I wanted too 😬 I'll pick up on this up later today hopefully
Atm the lib uses a hardcoded list of possible cookie names/substring.
https://github.com/aidantwoods/SecureHeaders/blob/f60c3b752114036fbf621a813ead3c3dc7b4c34a/src/SecureHeaders.php#L77
Wouldnt it make sense to detect whether sessions are handled via cookies and if so add the session cookies name to the protectedCookies list?