Auto protected session cookie

[staabm]

Atm the lib uses a hardcoded list of possible cookie names/substring.

SecureHeaders/src/SecureHeaders.php

Line 77 in f60c3b7

protected $protectedCookies = [

Wouldnt it make sense to detect whether sessions are handled via cookies and if so add the session cookies name to the protectedCookies list?

[aidantwoods]

Wouldnt it make sense to detect whether sessions are handled via cookies and if so add the session cookies name to the protectedCookies list?

I like the idea here :D

So the suggestion is to poll session_name and use the result from that as a protected cookie name, alongside the existing names and substrings?

[staabm]

Exactly. I would check before whether the session will be cookie based

[staabm]

See session.use_cookies on http://php.net/manual/en/session.configuration.php

[aidantwoods]

Yup, I'll take a look at doing that – cheers for the links.

In-fact, if a session isn't cookie based, I wonder whether SecureHeaders should say something to encourage use of cookies to allow better protection methods by the browser (and also so the application doesn't leak the SID on navigation if an insufficient referrer policy is set).

Though, since 2.0 the default header set will issue a referrer policy to protect that leakiness on navigation, still might be worth the added sanity check if we're already polling the ini for the cookie name and other session info.

[aidantwoods]

Oops I left this a while longer than I wanted too 😬
I'll pick up on this up later today hopefully