 |
|
Item10061: Cookies not properly forced to be secure if HTTPS connection
Priority: Normal
Current State: Closed
Released In: 1.1.3
Target Release: patch
Current State: Closed
Released In: 1.1.3
Target Release: patch
Applies To: Engine
Component:
Branches:
Component:
Branches:
Foswiki::Request::cookie() subroutine is never really being called with a defined $value. I even tried a login and a refresh of the wiki page after dumping cookies in my browser.
Is there something I am missing here? There are plenty of workarounds on the browser side, but I would like to be extra safe.
-- DaveHayes - 20 Nov 2010
Well I did miss another place, in Foswiki/Validation/getCookie() you folks also create a cookie, but no attempt is made to see if the session is secure at that point.
More as I find it. 
-- DaveHayes - 20 Nov 2010
Also in Foswiki/LoginManager/_addSessionCookieToResponse() and again no attempt to see if the transport (not the session, my mistake above) is secure or not.
-- DaveHayes - 20 Nov 2010
The following patch appears to fix the problem. It's a hack to be sure, likely the check for a secure transport should be abstracted to the engine code and called through the engine, but I bet this works for all cases anyway:
--- a/lib/Foswiki/LoginManager.pm
+++ b/lib/Foswiki/LoginManager.pm
@@ -814,7 +814,8 @@ sub _addSessionCookieToResponse {
-value => $this->{_cgisession}->id(),
-path => '/',
-domain => $Foswiki::cfg{Sessions}{CookieRealm} || '',
- -httponly => 1
+ -httponly => 1,
+ -secure => ( ((uc( $ENV{HTTPS} ) eq 'ON') || ($ENV{SERVER_PORT} == 443)) ? 1 : 0),
);
# An expiry time is only set if the session has the REMEMBER variable
diff --git a/lib/Foswiki/Validation.pm b/lib/Foswiki/Validation.pm
index b9be95e..0ced8ab 100644
--- a/lib/Foswiki/Validation.pm
+++ b/lib/Foswiki/Validation.pm
@@ -150,6 +150,7 @@ sub getCookie {
-value => $secret,
-path => '/',
-httponly => 0, # we *want* JS to be able to read it!
+ -secure => ( ((uc( $ENV{HTTPS} ) eq 'ON') || ($ENV{SERVER_PORT} == 443)) ? 1 : 0),
);
return $cookie;
-- DaveHayes - 20 Nov 2010
it sure does cry out for an abstraction :/
-- SvenDowideit - 13 Dec 2010
We already have such an abstraction: Foswiki::Request::secure(). %ENV is guaranteed to exist only in CGI environments (and at best, FastCGI).
I'm reopening this to make the change.
-- GilmarSantosJr - 27 Feb 2011
ItemTemplate edit
| Summary | Cookies not properly forced to be secure if HTTPS connection |
| ReportedBy | DaveHayes |
| Codebase | 1.1.2, trunk |
| SVN Range | |
| AppliesTo | Engine |
| Component | |
| Priority | Normal |
| CurrentState | Closed |
| WaitingFor | |
| Checkins | distro:c4cd8ca39e71 distro:2fd733ffc667 distro:7d0102c376e0 distro:2b6e6bc171e9 distro:af7b95099c0f distro:92717dc4f796 distro:411a16255df1 distro:6095f08de17b distro:0976f0311381 distro:b932f0e1df23 distro:4ada4a62b795 distro:8d85ee119455 |
| TargetRelease | patch |
| ReleasedIn | 1.1.3 |
Edit | Attach | Print version | History: r19 < r18 < r17 < r16 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r19 - 16 Apr 2011, KennethLavrsen
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy