Moin OpenID module

Moin should return 'secure' cookies.

Bug #352554 reported by Andrew Glen-Young
2
Affects Status Importance Assigned to Milestone
Moin OpenID module
New
Undecided
Unassigned

Bug Description

Overview:

If a user currently has a MoinMoin cookie and make a request to a wiki using HTTP (unencrypted), the cookie will be transmitted over the unencrypted connection. The web server will redirect the request (301) to the HTTPS site (encrypted) and any further requests (with the auth cookie) will be encrypted.

The seriousness of this issue may debated.

Solution:

Modern web browsers support "secure" cookies. If the web server returns a cookie with the 'secure' field, then browser will only send the cookie if the connection is encrypted [1].

See attached patch (backport from 1.7)

Of course this ignores any XSS which may be exploited to steal the cookie (which supporting http only cookies may help).

[1] This is not necessarily true. The browser (not the server) determines how secure the connection should be. This may include encryption, but not necessarily.

Tags: moin openid
Revision history for this message
Andrew Glen-Young (aglenyoung) wrote :
Stuart Metcalfe (stuartmetcalfe)
affects: canonical-bis-openid → moin-openid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.