Support session encryption

Implement session encryption.
author: kkadosh 2018-05-29 19:34:16 +0000
committer: jvoisin 2018-05-29 19:34:16 +0000
commit: 7832438b7abedf567ce6376f99949f419abcdff1 (patch)
tree: 560e43918d1dc36ce4cf760a5b27aed0c563bc1c /doc/source/config.rst
parent: 9eebe8c67e03e3041d454ea28e93996f7a67740b (diff)
1 files changed, 3 insertions, 97 deletions
diff --git a/doc/source/config.rst b/doc/source/config.rst
index d8389b6..b5bcad4 100644
--- a/doc/source/config.rst
+++ b/doc/source/config.rst
@@ -68,7 +68,7 @@ This configuration variable contains parameters that are used by multiple featur
  sp.global.secret_key("44239bd400aa82e125337c9d4eb8315767411ccd");
 - ``cookie_env_var``: A environment variable used as part of cookies encryption.
-  See the :ref:`relevant documentation <env-var-config>`.
+  See the :ref:`relevant documentation <cookie-encryption-config>`
 Bugclass-killer features
 ------------------------
@@ -123,103 +123,9 @@ It can either be ``enabled`` or ``disabled`` and can be used in ``simulation`` m
 Cookies-related mitigations
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-.. warning::
+Since snuffleupagus is providing several hardening features for cookies,
-  Those features are **not** available for session cookies `yet <https://github.com/nbs-system/snuffleupagus/issues/122>`_.
+there is a :dedicated web page:`here <cookie-encryption-config>` about them.
-auto_cookie_secure
-""""""""""""""""""
- 
-:ref:`auto_cookie_secure <auto-cookie-secure-feature>`, disabled by default,
-will automatically mark cookies as `secure
-<https://en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie>`_ when the web page
-is requested over HTTPS.
-It can either be ``enabled`` or ``disabled``.
-::
-  sp.auto_cookie_secure.enable();
-  sp.auto_cookie_secure.disable();
-cookie_samesite
-"""""""""""""""
- 
-:ref:`samesite <samesite-feature>`, disabled by default, will add the `samesite
-<https://tools.ietf.org/html/draft-west-first-party-cookies-07>`_ attribute to
-cookies. It `prevents CSRF <https://www.owasp.org/index.php/SameSite>`_ but is
-not implemented by `all web browsers <https://caniuse.com/#search=samesite>`_
-yet.
-It can either be set to ``strict`` or ``lax``:
- The ``lax`` attribute prevents cookies from being sent cross-domain for
-  "dangerous" methods, like ``POST``, ``PUT`` or ``DELETE``.
- The ``strict`` one prevents any cookies from beind sent cross-domain.
-::
-  sp.cookie.name("cookie1").samesite("lax");
-  sp.cookie.name("cookie2").samesite("strict");;
-.. _cookie-encryption_config:
-cookie_encryption
-"""""""""""""""""
-   
-.. warning::
-  To use this feature, you **must** set the :ref:`global.secret_key <config_global>`
-  and the :ref:`global.cookie_env_var <config_global>` variables.
-  This design decision prevents an attacker from
-  `trivially bruteforcing <https://www.idontplaydarts.com/2011/11/decrypting-suhosin-sessions-and-cookies/>`_
-  or re-using session cookies.
-:ref:`cookie_secure <cookie-encryption-feature>`, disabled by default, will activate transparent encryption of specific cookies.
-It can either be ``enabled`` or ``disabled`` and can be used in ``simulation`` mode.
-::
-  sp.cookie.name("my_cookie_name").encrypt();
-  sp.cookie.name("another_cookie_name").encrypt();
-Removing the user-agent part
-............................
-Some web browser extensions, such as `uMatrix <https://github.com/gorhill/uMatrix/wiki>`__
-might be configured to change the user-agent on a regular basis. If you think that
-some of your users might be using configurations like this, you might want to disable
-the mixing of the user-agent in the cookie's encryption key. The simplest way to do
-so is to set the environment variable ``HTTP_USER_AGENT`` to a fixed value before passing
-it to your php process.
-We think that this use case is too exotic to be worth implementing as a
-proper configuration directive.
-.. _env-var-config:
-Choosing the proper environment variable
-........................................
-It's up to you to choose a meaningful environment variable to derive the key from.
-Suhosin `is using <https://www.suhosin.org/stories/configuration.html#suhosin-session-cryptraddr>`_
-the ``REMOTE_ADDR`` one, tying the validity of the cookie to the IP address of the user;
-unfortunately, nowadays, people are `roaming <https://en.wikipedia.org/wiki/Roaming>`_ a lot on their smartphone,
-hopping from WiFi to 4G.
-This is why we recommend, if possible, to use the *extended master secret*
-from TLS connections (`RFC7627 <https://tools.ietf.org/html/rfc7627>`_)
-instead. The will make the validity of the cookie TLS-dependent, by using the ``SSL_SESSION_ID`` variable.
- In `Apache <https://httpd.apache.org/docs/current/mod/mod_ssl.html>`_,
-  it is possible to enable by adding ``SSLOptions StdEnvVars`` in your Apache2 configuration.
- In `nginx <https://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables>`_,
-  you have to use ``fastcgi_param SSL_SESSION_ID $ssl_session_id if_not_empty;``.
-If you aren't using TLS (you should be), you can always use the ``REMOTE_ADDR`` one,
-or ``X-Real-IP`` if you're behind a reverse proxy.
 readonly_exec
 ^^^^^^^^^^^^^
author	kkadosh	2018-05-29 19:34:16 +0000
committer	jvoisin	2018-05-29 19:34:16 +0000
commit	7832438b7abedf567ce6376f99949f419abcdff1 (patch)
tree	560e43918d1dc36ce4cf760a5b27aed0c563bc1c /doc/source/config.rst
parent	9eebe8c67e03e3041d454ea28e93996f7a67740b (diff)

diff --git a/doc/source/config.rst b/doc/source/config.rst index d8389b6..b5bcad4 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst
@@ -68,7 +68,7 @@ This configuration variable contains parameters that are used by multiple featur
68	sp.global.secret_key("44239bd400aa82e125337c9d4eb8315767411ccd");	68	sp.global.secret_key("44239bd400aa82e125337c9d4eb8315767411ccd");
69		69
70	- ``cookie_env_var``: A environment variable used as part of cookies encryption.	70	- ``cookie_env_var``: A environment variable used as part of cookies encryption.
71	See the :ref:`relevant documentation <env-var-config>`.	71	See the :ref:`relevant documentation <cookie-encryption-config>`
72		72
73	Bugclass-killer features	73	Bugclass-killer features
74	------------------------	74	------------------------
@@ -123,103 +123,9 @@ It can either be ``enabled`` or ``disabled`` and can be used in ``simulation`` m
123	Cookies-related mitigations	123	Cookies-related mitigations
124	^^^^^^^^^^^^^^^^^^^^^^^^^^^	124	^^^^^^^^^^^^^^^^^^^^^^^^^^^
125		125
126	.. warning::	126	Since snuffleupagus is providing several hardening features for cookies,
127	Those features are not available for session cookies `yet <https://github.com/nbs-system/snuffleupagus/issues/122>`_.	127	there is a :dedicated web page:`here <cookie-encryption-config>` about them.
128
129	auto_cookie_secure
130	""""""""""""""""""
131
132	:ref:`auto_cookie_secure <auto-cookie-secure-feature>`, disabled by default,
133	will automatically mark cookies as `secure
134	<https://en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie>`_ when the web page
135	is requested over HTTPS.
136
137	It can either be ``enabled`` or ``disabled``.
138
139	::
140
141	sp.auto_cookie_secure.enable();
142	sp.auto_cookie_secure.disable();
143
144	cookie_samesite
145	"""""""""""""""
146
147	:ref:`samesite <samesite-feature>`, disabled by default, will add the `samesite
148	<https://tools.ietf.org/html/draft-west-first-party-cookies-07>`_ attribute to
149	cookies. It `prevents CSRF <https://www.owasp.org/index.php/SameSite>`_ but is
150	not implemented by `all web browsers <https://caniuse.com/#search=samesite>`_
151	yet.
152
153	It can either be set to ``strict`` or ``lax``:
154
155	- The ``lax`` attribute prevents cookies from being sent cross-domain for
156	"dangerous" methods, like ``POST``, ``PUT`` or ``DELETE``.
157
158	- The ``strict`` one prevents any cookies from beind sent cross-domain.
159
160	::
161
162	sp.cookie.name("cookie1").samesite("lax");
163	sp.cookie.name("cookie2").samesite("strict");;
164
165	.. _cookie-encryption_config:
166
167	cookie_encryption
168	"""""""""""""""""
169
170	.. warning::
171
172	To use this feature, you must set the :ref:`global.secret_key <config_global>`
173	and the :ref:`global.cookie_env_var <config_global>` variables.
174	This design decision prevents an attacker from
175	`trivially bruteforcing <https://www.idontplaydarts.com/2011/11/decrypting-suhosin-sessions-and-cookies/>`_
176	or re-using session cookies.
177
178	:ref:`cookie_secure <cookie-encryption-feature>`, disabled by default, will activate transparent encryption of specific cookies.
179
180	It can either be ``enabled`` or ``disabled`` and can be used in ``simulation`` mode.
181
182	::
183
184	sp.cookie.name("my_cookie_name").encrypt();
185	sp.cookie.name("another_cookie_name").encrypt();
186
187
188	Removing the user-agent part
189	............................
190
191	Some web browser extensions, such as `uMatrix <https://github.com/gorhill/uMatrix/wiki>`__
192	might be configured to change the user-agent on a regular basis. If you think that
193	some of your users might be using configurations like this, you might want to disable
194	the mixing of the user-agent in the cookie's encryption key. The simplest way to do
195	so is to set the environment variable ``HTTP_USER_AGENT`` to a fixed value before passing
196	it to your php process.
197
198	We think that this use case is too exotic to be worth implementing as a
199	proper configuration directive.
200
201	.. _env-var-config:
202
203	Choosing the proper environment variable
204	........................................
205
206	It's up to you to choose a meaningful environment variable to derive the key from.
207	Suhosin `is using <https://www.suhosin.org/stories/configuration.html#suhosin-session-cryptraddr>`_
208	the ``REMOTE_ADDR`` one, tying the validity of the cookie to the IP address of the user;
209	unfortunately, nowadays, people are `roaming <https://en.wikipedia.org/wiki/Roaming>`_ a lot on their smartphone,
210	hopping from WiFi to 4G.
211
212	This is why we recommend, if possible, to use the extended master secret
213	from TLS connections (`RFC7627 <https://tools.ietf.org/html/rfc7627>`_)
214	instead. The will make the validity of the cookie TLS-dependent, by using the ``SSL_SESSION_ID`` variable.
215
216	- In `Apache <https://httpd.apache.org/docs/current/mod/mod_ssl.html>`_,
217	it is possible to enable by adding ``SSLOptions StdEnvVars`` in your Apache2 configuration.
218	- In `nginx <https://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables>`_,
219	you have to use ``fastcgi_param SSL_SESSION_ID $ssl_session_id if_not_empty;``.
220		128
221	If you aren't using TLS (you should be), you can always use the ``REMOTE_ADDR`` one,
222	or ``X-Real-IP`` if you're behind a reverse proxy.
223		129
224	readonly_exec	130	readonly_exec
225	^^^^^^^^^^^^^	131	^^^^^^^^^^^^^