summaryrefslogtreecommitdiff
path: root/demos/quickstart/protected/pages/Security/Cookie.page
blob: 6e95e38097c136bfc4b617124bb9295e9d7a3cad (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
<com:TContent ID="body" >

<h1>Cookie Attack Prevention</h1>
<p>
Protecting cookies from being attacked is of extreme important, as session IDs are commonly stored in cookies. If one gets hold of a session ID, he essentially owns all relevant session information.
</p>
<p>
There are several countermeasures to prevent cookies from being attacked.
</p>
<ul>
  <li>An application can use SSL to create a secure communication channel and only pass the authentication cookie over an HTTPS connection. Attackers are thus unable to decipher the contents in the transferred cookies.</li>
  <li>Expire sessions appropriately, including all cookies and session tokens, to reduce the likelihood of being attacked.</li>
  <li>Prevent <a href="?page=Security.XSS">cross-site scripting (XSS)</a> which causes arbitrary code to run in a user's browser and expose his cookies.</li>
  <li>Validate cookie data and detect if they are altered.</li>
</ul>
<p>
Prado implements a cookie validation scheme that prevents cookies from being modified. In particular, it does HMAC check for the cookie values if cookie validation is enable.
</p>
<p>
Cookie validation is disabled by default. To enable it, configure the <tt>THttpRequest</tt> module as follows,
</p>
<com:TTextHighlighter Language="xml" CssClass="source">
<modules>
  <module id="request" class="THttpRequest" EnableCookieValidation="true" />
</modules>
</com:TTextHighlighter>
<p>
To make use of cookie validation scheme provided by Prado, you also need to retrieve cookies through the <tt>Cookies</tt> collection of <tt>THttpRequest</tt> by using the following PHP statements,
</p>
<com:TTextHighlighter CssClass="source">
foreach($this->Request->Cookies as $cookie)
    // $cookie is of type THttpCookie
</com:TTextHighlighter>
<p>
To send cookie data encoded with validation information, create new <tt>THttpCookie</tt> objects and add them to the <tt>Cookies</tt> collection of <tt>THttpResponse</tt>,
</p>
<com:TTextHighlighter CssClass="source">
$cookie=new THttpCookie($name,$value);
$this->Response->Cookies[]=$cookie;
</com:TTextHighlighter>

</com:TContent>