-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Brion Vibber wrote:
Ok, quick update, I've done a basic assessment of the additional security impact of global session cookies and some mitigration strategies:
http://www.mediawiki.org/wiki/Global_session_threat_assessment
Status update...
* Werdna's added support for HttpOnly cookies under PHP 5.2. Currently we can't deploy this until we finish upgrading some of our machines.
* I've enabled global sessions on secure.wikimedia.org, where there's a single domain and few other services to increase the attack surface. It _seems_ to mostly work so far. ;)
Logging out doesn't quite clear all sessions correctly yet, but so far so good. :)
- -- brion