Description
Describe your problem
Mozilla Observatory (https://observatory.mozilla.org/analyze/) shows that session cookie security can be generally improved by setting the samesite attribute to either strict or lax.
And by adding the "__Secure-" prefix to the session name (BLUDIT-KEY becomes __Secure-BLUDIT-KEY) when site is called via HTTPS.
Documentation:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#cookie_prefixes
However I am not a web developer and therefore might possibly not know all implications.
For a Bludit reachable via HTTPS only which has no other form of authentication (SSO, LDAP, etc.) than the build-in one setting samesite=strict and the __Secure- Prefix should do no harm. And at least Chrome and Safari set samesite per-default to lax if it is missing from a cookie (Firefox doesn't). So samesite=lax could be a good default value.
The __Secure- prefix could be set when isHTTPS() (defined in bl-kernel/site.class.php) is true. This is already being used to set the secure flag in the cookie.
However due to how the sessionname is currently assigned in bl-kernel/helpers/session.class.php I wasn't able to do this, as this would require too many changes and I'm not that familiar with the Bludit codebase.
The current changes I did to test my sites functionality are the following:
- In
bl-kernel/helpers/session.class.phpI just renamed the sessionName variable
<?php defined('BLUDIT') or die('Bludit CMS.');
class Session {
private static $started = false;
// Set the __Secure- prefix if site is called via HTTPS, preventing overwrites from insecure origins
// see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#cookie_prefixes
//private static $sessionName = 'BLUDIT-KEY';
private static $sessionName = '__Secure-BLUDIT-KEY';
public static function start($path, $secure) {
[...]- Same file, I added the samesite attribute to the session_set_cookie_params function.
session_set_cookie_params([
'lifetime' => $cookieParams["lifetime"],
'path' => $path,
'domain' => $cookieParams["domain"],
'secure' => $secure,
'httponly' => true,
'samesite' => 'strict'
]);Bludit keeps working with these settings for me. However as this is currently a custom modification to the Bludit codebase I would love to see it implemented in Bludit in one way or the other - as long as the change is sensible.
Steps to reproduce the problem
Open https://observatory.mozilla.org/analyze/ and scan any Bludit site, scroll down to "Cookies".
Bludit version
3.16.2
PHP version
7.4