Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-50160

HTTP only cookies (cookiehttponly) default set to on and UI setting removed

    XMLWordPrintable

Details

    • MOODLE_28_STABLE
    • MOODLE_403_STABLE
    • master_MDL-50160
    • Easy
    • Hide

      Existing site that is upgraded:

      • Prior to applying this patch
      • Log into the site as an admin
      • navigate to: Site administration > General > HTTP security
      • Take note of the state of the setting: "Only http cookies" (cookiehttponly)
      • Open the storage/cookies inspector of your web browsers development tools and take note of the "HttpOnly" status of the cookies for the domain of your webserver
        • If the Moodle "Only http cookies option is not checked, then the HttPOnly value should be false
        • If the Moodle "Only http cookies option is checked, then the HttPOnly value should be true

       

      • Apply this patch to the site and clear site caches
      • Log into the site as an admin
      • navigate to: Site administration > General > HTTP security
      • Confirm the setting: "Only http cookies" (cookiehttponly) is no longer present in the UI
      • Open the storage/cookies inspector of your web browsers development tools and take note of the "HttpOnly" status of the cookies for the domain of your webserver
      • Confirm the status of "HttpOnly" is the same as it was prior to the patch being applied

       

      • Add the following to your config.php file:
        $CFG->cookiehttponly = false;
      • Clear the cookies in your browser for your Moodle site
      • Reload the page
      • Confirm the "HttpOnly" status of the cookies for the domain of your webserver is false
      • Update the following to your config.php file:
        $CFG->cookiehttponly = True;
      • Clear the cookies in your browser for your Moodle site
      • Reload the page
      • Confirm the "HttpOnly" status of the cookies for the domain of your webserver is true

      New site that is installed:

      • Install a new site with this patch applied
      • Log into the site as an admin
      • navigate to: Site administration > General > HTTP security
      • Confirm the setting: "Only http cookies" (cookiehttponly) is no longer present in the UI
      • Confirm the "HttpOnly" status of the cookies for the domain of your webserver is true
      • Add the following to your config.php file:
        $CFG->cookiehttponly = false;
      • Clear the cookies in your browser for your Moodle site
      • Reload the page
      • Confirm the "HttpOnly" status of the cookies for the domain of your webserver is false
      Show
      Existing site that is upgraded: Prior to applying this patch Log into the site as an admin navigate to: Site administration > General > HTTP security Take note of the state of the setting: "Only http cookies" (cookiehttponly) Open the storage/cookies inspector of your web browsers development tools and take note of the "HttpOnly" status of the cookies for the domain of your webserver If the Moodle "Only http cookies option is not checked, then the HttPOnly value should be false If the Moodle "Only http cookies option is checked, then the HttPOnly value should be true   Apply this patch to the site and clear site caches Log into the site as an admin navigate to: Site administration > General > HTTP security Confirm the setting: "Only http cookies" (cookiehttponly) is no longer present in the UI Open the storage/cookies inspector of your web browsers development tools and take note of the "HttpOnly" status of the cookies for the domain of your webserver Confirm the status of "HttpOnly" is the same as it was prior to the patch being applied   Add the following to your config.php file: $CFG->cookiehttponly = false; Clear the cookies in your browser for your Moodle site Reload the page Confirm the "HttpOnly" status of the cookies for the domain of your webserver is false Update the following to your config.php file: $CFG->cookiehttponly = True; Clear the cookies in your browser for your Moodle site Reload the page Confirm the "HttpOnly" status of the cookies for the domain of your webserver is true New site that is installed: Install a new site with this patch applied Log into the site as an admin navigate to: Site administration > General > HTTP security Confirm the setting: "Only http cookies" (cookiehttponly) is no longer present in the UI Confirm the "HttpOnly" status of the cookies for the domain of your webserver is true Add the following to your config.php file: $CFG->cookiehttponly = false; Clear the cookies in your browser for your Moodle site Reload the page Confirm the "HttpOnly" status of the cookies for the domain of your webserver is false
    • 1
    • Team Hedgehog 2023 Review 2, Team Hedgehog 2023 Sprint 3.1

    Description

      Issue location:

      Site Administration / Security / HTTP security / Only http cookies

      Current description reads:

      Enables new PHP 5.2.0 feature - browsers are instructed to send cookie with real http requests only, cookies should not be accessible by scripting languages. This is not supported in all browsers and it may not be fully compatible with current code. It helps to prevent some types of XSS attacks

      As PHP is now at 8.2 and it has another 6 years since this issue originally had traffic. It is time to revisit this issue and move it forward.

      While a lot of the AICC/SCORM content should have aged out by now, we'll still go down a deprecation path for this. Also there has been questions raised around LTI, based on research LTI does not inherently require client-side access to cookies, and its core functionality (like launching a tool, returning grades, etc.) should work independently of whether cookies are set to HTTP-only. However, there may be specific implementations that require this. Having the option to disable HTTP cookies will help handle this and by defaulting HTTP only to on should help discover any of these scenarios.

      Based on the discussion in this ticket and more internal team discussion, the behavior should be:

      1. Default HTTP only cookies to on in new installs
      2. Remove the UI setting
      3. Add a config.php override to turn on. Documented in config-dist.php
      4. Deprecate and then remove the functionality in line with policy
      5. For existing sites that are upgraded, the current setting should persist (when the UI is removed), the behaviour can be set in config.php

       

      Attachments

        Issue Links

          Activity

            People

              matt.porritt@moodle.com Matt Porritt
              dustin.brisebois Dustin Brisebois
              Meirza Meirza
              Andrew Lyons Andrew Lyons
              Kim Jared Lucas Kim Jared Lucas
              Votes:
              3 Vote for this issue
              Watchers:
              14 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 6 hours, 10 minutes
                  6h 10m

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.