eZ Community » Forums » General » Can I turn off cookies in 4.1.3
expandshrink

Can I turn off cookies in 4.1.3

Can I turn off cookies in 4.1.3

Wednesday 06 August 2014 7:03:36 am - 2 replies

Hi there.
We have been informed by a security audit that we are running cookies on our site and that it leaves us open to malware running on visitor's web browsers.
We are currently running Ezpublish 4.1.3
A test via  http://www.cookie-checker.com/
brings up 5 cookies from Google analytics and one from eZSESSID.
Is this a risk?
Can I turn it off?
Will it break stuff?
I had no luck putting this: "session.cookie_httponly = True" in my php.ini
It appears to get over-ridden with the stuff in settings/site.ini
Any advice?
Thanks

http://share.ez.no/forums/general/sessions-and-cookies

Wednesday 06 August 2014 11:07:29 am

Side note: don't believe anything that an automated security scanner tells you, without challenging/discussing/dissecting it first.

(disclaimer: I did work as security consultant before joining eZ, and did deploy tools doing automated scans. The "added value" the company provided was having expert people taking the scan results, analysing them and turning them into an accurate report before handling it to the customer)

As for your questions:

The session cookie can not be disabled, unless you only have anonymous users visiting the site.

The php.ini settings are not used by eZ, but you have dedicated settings in site.ini, so you can use those ones.

Afaik, eZ does never use the session cookie or is_logged_in cookie via js, so enabling CookieHttponly should be fine. BUT custom code (template/js) might use it, and could break. This is afaik the reason for not enabling it by default.

Of course the best way to secure the admin interface is to run it over https (and set CookieSecure=true)

Modified on Wednesday 06 August 2014 11:10:39 am by Gaetano Giunta

Wednesday 06 August 2014 11:10:16 am

ps: eZ introduced the ezformtoken extension a while back (4.6 iirc) to help thwart XSRF attacks. This is an extension you should always have enabled

Modified on Wednesday 06 August 2014 11:11:07 am by Gaetano Giunta

expandshrink

You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu

Proudly Developed with from