Ancestors

Toot

Written by April King on 2024-11-21 at 17:08

Handling Cookies is a Minefield:

inconsistencies in the HTTP cookie specification and its implementations have caused a situation where countless websites (including Facebook, Netflix, Okta, WhatsApp, Apple, etc.) are one small mistake away from locking their users out.

https://grayduck.mn/2024/11/21/handling-cookies-is-a-minefield/

=> View attached media | View attached media | View attached media | View attached media

=> More informations about this toot | More toots from april@macaw.social

Descendants

Written by Giorgio Maone 🚫✊🧅 on 2024-11-22 at 14:20

@april entertaining as much as terrifying read. Would have been very timely right at the end of the past month🦇🎃👻

=> More informations about this toot | More toots from ma1@todon.eu

Written by Sam Sneddon 🏳️‍⚧️ on 2024-11-22 at 17:05

@april this reminds me of years ago the HTTP WG being pretty reluctant to change cookies to actually match what web compat requires — and while some might want to argue “hey there’s loads of other HTTP stacks which aren’t reporting compatibility issues”, cookies are surely disproportionately used by browsers

=> More informations about this toot | More toots from gsnedders@glauca.space

Written by Ben Ramsey on 2024-11-23 at 01:15

@april @krinkle Hahaha! I ran into this issue about 15 years ago and thought maybe the Cookie2 and Set-Cookie2 headers were the way to go (since they appear to resolve the value of the cookie), but literally no one ever used that header, so it’s deprecated, now.

https://www.rfc-editor.org/rfc/rfc2965

https://www.rfc-editor.org/rfc/rfc6265

=> More informations about this toot | More toots from ramsey@phpc.social

Written by ignace nyamagana butera on 2024-11-23 at 07:38

@ramsey @april @krinkle I think the new and better response is https://www.rfc-editor.org/rfc/rfc9651.html but for some reasons this as yet to gain traction in PHP 🤷

=> More informations about this toot | More toots from nyamsprod@phpc.social

Written by Ben Ramsey on 2024-11-23 at 08:54

@nyamsprod @april @krinkle It appears it’s still very new. I’ve never heard of it, but I like what I see.

=> More informations about this toot | More toots from ramsey@phpc.social

Written by ignace nyamagana butera on 2024-11-23 at 08:55

@ramsey @april @krinkle its been there for almost 4 years and all new headers from Chrome to what not uses it already. I even created a PHP package for it . Working on v2 at the moment https://github.com/bakame-php/http-structured-fields

=> More informations about this toot | More toots from nyamsprod@phpc.social

Written by Sam Sneddon 🏳️‍⚧️ on 2024-11-23 at 15:40

@ramsey @april @krinkle and Opera (Presto) was I think the only browser that supported it? but with no cookies being sent, that was bawucaklt useless.

=> More informations about this toot | More toots from gsnedders@glauca.space

Written by Gina Peter Banyard on 2024-11-23 at 03:45

@april opening an issue on the php-src GitHub repo might be a good idea so that someone (if not myself) looks into it for PHP.

=> More informations about this toot | More toots from Girgias@phpc.social

Written by ignace nyamagana butera on 2024-11-23 at 07:07

@april Hence why structured field RFC https://www.rfc-editor.org/rfc/rfc9651.html and https://httpwg.org/http-extensions/draft-ietf-httpbis-retrofit.html#name-cookies exist. To solve this type of security issues

=> More informations about this toot | More toots from nyamsprod@phpc.social

Written by daniel:// stenberg:// on 2024-11-23 at 11:08

@april I've tried. I've struggled. I've filed numerous issues. I've had very little success in trying to rectify several of the issues you list in there... 😞

=> More informations about this toot | More toots from bagder@mastodon.social

Written by floyd aka floyd_ch on 2024-11-23 at 20:01

@bagder @april this reminded me of http://seriot.ch/projects/parsing_json.html which is basically proof that as a community we also fail with newer standards unfortunately

=> More informations about this toot | More toots from floyd@chaos.social

Written by Sam Sneddon 🏳️‍⚧️ on 2024-11-23 at 15:42

@april the other thing that comes to mind recently is “SameSite=Lax” by default, which a bunch of docs and specs say is the case, but only Chrome has managed to ship it — both Firefox and Safari unshipped it, due to too much breakage, and the win is much smaller when cookies are partitioned and/or not sent cross-site/origin to start with

=> More informations about this toot | More toots from gsnedders@glauca.space

Written by Seb-Solon on 2024-11-23 at 16:07

@april

Thanks, that's a very interesting article! Out of curiosity, did you keep track of the version of the programming languages used? It could be nice to do the exercise again in a couple of year to compare 😀

=> More informations about this toot | More toots from Seb_Solon@framapiaf.org

Written by April King on 2024-11-23 at 16:14

@Seb_Solon I didn’t, although I probably should have. Most of those tests were over a year old, although I don’t think anything has changed in them.

=> More informations about this toot | More toots from april@macaw.social

Written by Tilde Lowengrimm on 2024-11-23 at 22:17

@april Thanks for this great analysis! I hate it.

=> More informations about this toot | More toots from tilde@infosec.town