Add __Host- prefix when secure flag is enabled (!446) · Merge requests · Pleroma / pleroma

shibayashi requested to merge shibayashi/pleroma:security/cookie-hardening into develop Nov 12, 2018

This sets the __Host- prefix to the Pleroma session cookie. A browser will only accept a cookie with this prefix if it fulfills the following requirements:

Secure attributes needs to be set
URI scheme must be considered secure by browser
Set-Cookie does not contain a Domain attribute. The cookie is only sent to the host which sets it.
Path needs to be set to /. The cookie is sent at every request.

Browsers with no support (IE and Edge) will just ignore the prefix and treat it as part of the name.

Example scenario

A user visits the website for the first time over HTTP and an attacker intercepts the connection and plants a session cookie. Pleroma now thinks, that the user already has the cookie and uses the attacker controlled session. The __Host- prefix prevents this attack, because the session cookie can now only be set over a secure connection.

Add __Host- prefix when secure flag is enabled

Example scenario

Merge request reports