-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Brion Vibber wrote:
Ok, quick update, I've done a basic assessment of
the additional
security impact of global session cookies and some mitigration strategies:
http://www.mediawiki.org/wiki/Global_session_threat_assessment
Status update...
* Werdna's added support for HttpOnly cookies under PHP 5.2. Currently
we can't deploy this until we finish upgrading some of our machines.
* I've enabled global sessions on
secure.wikimedia.org, where there's a
single domain and few other services to increase the attack surface. It
_seems_ to mostly work so far. ;)
Logging out doesn't quite clear all sessions correctly yet, but so far
so good. :)
- -- brion
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iEYEARECAAYFAkgGeYEACgkQwRnhpk1wk46gowCghedqc7awDafyVh+kH5B64QW4
t9cAoMsouCVh/CbV7tf5qpF/aSgpxnOy
=06zW
-----END PGP SIGNATURE-----