Cookie encryption

SecurityFreak · October 19, 2012, 8:25am

Hello,

I like to use Piwik on our company websites, but there is a little problem I found by testing Piwik.

By our company policy we are advised to use cookie encryption on all of our websites for security reasons. Normaly we just activate Suhosin for php based sites and ensure that the transparent session and cookie encryption is active.

I try to do the same with Piwik and must learn, that Piwik don’t use the normal ways to send cookies to the client. So the transparent cookie encryption doesn’t work like it should.

Is there any way to ensure that all cookies are encryptet by Piwik?

Regards
SecurityFreak

matthieu · October 19, 2012, 1:40pm

Sorry I am not sure, what is different in the way piwik sets cookie that prevent them?

I recomment to force Piwik to use SSL: Turn on automatic SSL redirection in your Piwik. How to - Analytics Platform - Matomo

SecurityFreak · October 19, 2012, 1:50pm

Hi Matt,

thanks for answering.
The difference is that piwik don’t use the PHP function setcookie() for sending cookies.
I am not very used to PHP, but I found a cookie handling class in core/Cookie.php with the following method:
/**
* setcookie() replacement – we don’t use the built-in function because
* it is buggy for some PHP versions.
*
* @link PHP: setcookie - Manual
*
* @param string $Name Name of cookie
* @param string $Value Value of cookie
* @param int $Expires Time the cookie expires
* @param string $Path
* @param string $Domain
* @param bool $Secure
* @param bool $HTTPOnly
*/
protected function setCookie($Name, $Value, $Expires, $Path = ‘’, $Domain = ‘’, $Secure = false, $HTTPOnly = false)
{
if (!empty($Domain))
{
// Fix the domain to accept domains with and without ‘www.’.
if (!strncasecmp($Domain, ‘www.’, 4))
{
$Domain = substr($Domain, 4);
}
$Domain = ‘.’ . $Domain;

                    // Remove port information.
                    $Port = strpos($Domain, ':');
                    if ($Port !== false)  $Domain = substr($Domain, 0, $Port);
            }

            $header = 'Set-Cookie: ' . rawurlencode($Name) . '=' . rawurlencode($Value)
                                     . (empty($Expires) ? '' : '; expires=' . gmdate('D, d-M-Y H:i:s', $Expires) . ' GMT')
                                     . (empty($Path) ? '' : '; path=' . $Path)
                                     . (empty($Domain) ? '' : '; domain=' . $Domain)
                                     . (!$Secure ? '' : '; secure')
                                     . (!$HTTPOnly ? '' : '; HttpOnly');

            Piwik_Common::sendHeader($header, false);
    }

The problem is that suhosin can’t made the transparent cookie encryption when sending cookies this way.
And SSL redirection don’t solve my problem because the cookie can be manipulated on the client side when its not encrypted.

matthieu · October 19, 2012, 1:57pm

Not sure what we can do. This is relevant ticket: auth cookie to hide auth token · Issue #1419 · matomo-org/matomo · GitHub

SecurityFreak · October 19, 2012, 2:08pm

OK, this is now a bit freaky, but will work.
A college play arround a bit with that class for URL Parameter encryption:
http://www.governmentsecurity.org/forum/topic/21157-blowfish-encryption-class/

Its fast and very easy to use.
Its just important to change the random pools at the beginning of the class to some nobody can copy paste from the web but thats just an initial task.

Maybe you got a different or better idear on that topic.

matthieu · October 20, 2012, 4:01am

ok, pease submit a patch or plugin or if you cant

SecurityFreak · October 23, 2012, 7:49am

LOL, not an answer I expect, but OK I will try to build something that works.
But be aware that I’m not a developer.
So this might result in some ugly code and will take some time, cause I have no clue how piwik woks internally.

SecurityFreak · February 13, 2013, 10:05am

Hi Mat,

after I play around a bit with Piwik, the topic Cookie encryption becomes more and more important.
When you try to run Piwik behind a Web Application Firewall like ModSecurity with the rule set from Trustwave Spiderlabs you get some very ugly error messages in the logfiles and the visitor gets blocked. This result from different things but mostly you can find the problems at cookie content.

For example:
When you write a “–” into a cookie, followed by some other text (URL encoded or not) the WAF blocks the visitor with the reason of SQL comment evasion.
And there are many more problems like this.

OK, back to the topic again…
With cookie encryption these problems are gone and you also have the option to compress cookie content, if you implement a method for.

I had a look into the blowfish class and try to understand what happens there. As I understand the class, it’s not so very important to regenerate the values at the arrays at the beginning of the class.
These values are salted by the password and as long we talk about cookie encryption there is no need to make the content safe for several years. Some days are enough and with the standard values will it do that job well enough.

I made some changes to the Piwik code to implement the class. How can I send you a patchfile?

vwyoda · February 14, 2013, 7:38am

http://piwik.org/participate/development-process/#toc-how-to-submit-a-patch-or-pull-request
HTH