From: mbowie at buzmo dot com
Operating system: FreeBSD 6.0R
PHP version: 5.2.1
PHP Bug Type: Session related
Bug description: Cookies with secure parameter sent via HTTP

Description:
------------
Cookies sent via the set_cookie method or via PHP's session module with
the secure parameter set to true can be sent via HTTP.

[url]http://php.net/set_cookie[/url] has notes against the secure flag which states :
"Indicates that the cookie should only be transmitted over a secure HTTPS
connection. When set to TRUE, the cookie will only be set if a secure
connection exists. The default is FALSE.". This does not appear to be the
case.

It's possible that this is by design, but if so, perhaps it's worth noting
on the documentation at the secure parameter only refers to the browser's
activities, not those of the webserver.

The upshot of this is that an attacker may pickup a visitor's cookie by
sniffing HTTP traffic on the wire and craft their own cookie in order to
spoof the visitor's identity on the secure side.

The same thing happens on 4.3.9, 5.2.0 and 5.2.1; all of which are
compiled via the FreeBSD ports tree and are running on various flavors of
FreeBSD.

Reproduce code:
---------------
$domain = 'setme';

setcookie('setcookie', 'insecure', time()+3600, '/', $domain, true);

session_name('session_set_cookie_params');
session_set_cookie_params(
time()+3600,
'/',
$domain,
true
);
session_start();


Expected result:
----------------
No cookies should be sent to the browser unless the page is requested via
an SSL encrypted channel.

Actual result:
--------------
Cookie headers are sent regardless of whether the page is requested via
HTTP or HTTPS.

--
Edit bug report at [url]http://bugs.php.net/?id=40778&edit=1[/url]
--
Try a CVS snapshot (PHP 4.4): [url]http://bugs.php.net/fix.php?id=40778&r=trysnapshot44[/url]
Try a CVS snapshot (PHP 5.2): [url]http://bugs.php.net/fix.php?id=40778&r=trysnapshot52[/url]
Try a CVS snapshot (PHP 6.0): [url]http://bugs.php.net/fix.php?id=40778&r=trysnapshot60[/url]
Fixed in CVS: [url]http://bugs.php.net/fix.php?id=40778&r=fixedcvs[/url]
Fixed in release: [url]http://bugs.php.net/fix.php?id=40778&r=alreadyfixed[/url]
Need backtrace: [url]http://bugs.php.net/fix.php?id=40778&r=needtrace[/url]
Need Reproduce Script: [url]http://bugs.php.net/fix.php?id=40778&r=needscript[/url]
Try newer version: [url]http://bugs.php.net/fix.php?id=40778&r=oldversion[/url]
Not developer issue: [url]http://bugs.php.net/fix.php?id=40778&r=support[/url]
Expected behavior: [url]http://bugs.php.net/fix.php?id=40778&r=notwrong[/url]
Not enough info: [url]http://bugs.php.net/fix.php?id=40778&r=notenoughinfo[/url]
Submitted twice: [url]http://bugs.php.net/fix.php?id=40778&r=submittedtwice[/url]
register_globals: [url]http://bugs.php.net/fix.php?id=40778&r=globals[/url]
PHP 3 support discontinued: [url]http://bugs.php.net/fix.php?id=40778&r=php3[/url]
Daylight Savings: [url]http://bugs.php.net/fix.php?id=40778&r=dst[/url]
IIS Stability: [url]http://bugs.php.net/fix.php?id=40778&r=isapi[/url]
Install GNU Sed: [url]http://bugs.php.net/fix.php?id=40778&r=gnused[/url]
Floating point limitations: [url]http://bugs.php.net/fix.php?id=40778&r=float[/url]
No Zend Extensions: [url]http://bugs.php.net/fix.php?id=40778&r=nozend[/url]
MySQL Configuration Error: [url]http://bugs.php.net/fix.php?id=40778&r=mysqlcfg[/url]