Jump to the post that solved this thread.
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Not Solved [General] Secure cookie flag setting
#1
Not Solved
Hello members!

I just came to this option today and would like to know if it should be enabled or disabled?

Mine is disabled for the moment.

Screenshot follows:

   
Reply
#2
Not Solved
If you are using secure connection (https://) in your site you should enable "Secure Cookie Flag" to ensure more security.
Quote:The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS)

Would also like to mention there is another flag available in MyBB which is called "SameSite Cookie Flag". This has been introduced very recently and simultaneously implemented to prevent "Cross-Site Request Forgery" aka CSRF attacks.
Enabling this results in securing authentication and ofcourse recommended to enable in general cases (unless you are not using / expecting cross-origin post requests).
[Image: logo.svg.svg]
Reply
#3
Not Solved
Yeah,the other one was enabled by default.

Now i've also enabled the other one like this:

   

Many thanks.
Reply
#4
Not Solved
(08-19-2018, 11:26 AM)effone Wrote: Would also like to mention there is another flag available in MyBB which is called "SameSite Cookie Flag". This has been introduced very recently and simultaneously implemented to prevent "Cross-Site Request Forgery" aka CSRF attacks.
Enabling this results in securing authentication and ofcourse recommended to enable in general cases (unless you are not using / expecting cross-origin post requests).

For a clueless dolt like me, how does CSRF attacks differ from XSS attacks?
I'm Serpius and You're Not    ¯\_(ツ)_/¯
[Image: y3xr3cj5]
Reply
#5
Not Solved
(08-19-2018, 01:43 PM)Serpius Wrote:
(08-19-2018, 11:26 AM)effone Wrote: Would also like to mention there is another flag available in MyBB which is called "SameSite Cookie Flag". This has been introduced very recently and simultaneously implemented to prevent "Cross-Site Request Forgery" aka CSRF attacks.
Enabling this results in securing authentication and ofcourse recommended to enable in general cases (unless you are not using / expecting cross-origin post requests).

For a clueless dolt like me, how does CSRF attacks differ from XSS attacks?

XSS attacks involve injecting code that makes browsers perform unwanted actions, such as attempting to delete or modify posts without user interaction, passing sensitive information (like login keys) to someone else or redirecting users to deceitful sites.

Patches for XSS vulnerabilities are usually limited to "escaping" input values that get submitted by users (so HTML code is displayed, but not executed).

It's always been obvious that users shouldn't be able to execute HTML, but in MyBB 1.8's ACP the line between a vulnerability and a feature can sometimes be blurry because there's no information on what settings are actually intended to support HTML - that results in issues like https://github.com/mybb/mybb/issues/3383, where administrators input HTML to e.g. show images with security questions. Many settings are unfiltered for various reasons and for that reason we assume that anyone with ACP access can insert HTML and perform XSS attacks, so that permission should be granted with caution.


CSRF attacks also rely on imitating users' requests to MyBB, but in this case no malicious code is inserted dierectly, and all possible outcomes are possible to achieve by normal user activity. In this case, MyBB could be tricked to believe that a "Delete" link for some post was clicked, even if that link was placed on a different website, with a innocuous title.

This threat is usually mitigated by verifying anti-CSRF codes (sometimes "CSRF codes", "tokens") that are attached to such links and buttons across MyBB - external links won't work because the attackers don't have the user-specific code (in MyBB, included in the HTML source code usually named my_post_key - the main reason why the full page source shouldn't be shared, which sometimes happens on our support forums).
The mentioned sameSite cookie flag is an additional layer of protection that also prevents login cookies from being included when external links are followed to MyBB, effectively making users logged out for that request.

The recent Login CSRF patch addressed a CSRF vulnerability by including an anti-CSRF code for guests, without which it could've been possible for attackers to make someone logged in under a different account (an easy starting point for other, directly harmful attacks).
devilshakerz.com/pgp (DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC) ▪ keybase.io/devilshakerz
Reply
Jump to the post that solved this thread.


Forum Jump:


Users browsing this thread: 1 Guest(s)