Cookie lacking "secure" flag for HTTPS sites

Bug #1384009 reported by Aaron Wells on 2014-10-22
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Low
Robert Lyon
1.10
Low
Unassigned
1.8
Low
Unassigned
1.9
Low
Unassigned
15.04
Low
Robert Lyon

Bug Description

The cookie "lastinstitution" that we use to show the proper institution theme to logged-out users, does not properly use the "secure" attribute for sites that are using HTTPS. This means it's possible for the cookie's contents to be obtained via non-HTTPS.

Not a huge thing, since its use is somewhat limited in scope, and the "lastinstitution" data is not very sensitive, but it would be good to use it.

While we're at it, we might also want to check on the (much more important) PHP session cookie. This can be set at the server level, but we could also check for it in PHP. See http://stackoverflow.com/questions/6821883/set-httponly-and-secure-on-phpsessid-cookie-in-php for details on that.

CVE References

Robert Lyon (robertl-9) wrote :

By the looks of things the htdocs/auth/session.php file has the secure flag set if_https() returns true on line 31.

However the set_cookie() function in lib/web.php and the cookieconsent javascript plugin needed to allow for the 'secure' flag

Mahara Bot (dev-mahara) wrote :

Patch for "master" branch: https://reviews.mahara.org/3939

Aaron Wells (u-aaronw) wrote :

I just uploaded some patches for this... but then I noticed that Robert already uploaded some patches as well!

Here's mine:
https://reviews.mahara.org/3938
https://reviews.mahara.org/3939

Here's Robert's:
https://reviews.mahara.org/#/c/3898
https://reviews.mahara.org/#/c/3899

information type: Private Security → Public Security

Reviewed: https://reviews.mahara.org/3939
Committed: http://gitorious.org/mahara/mahara/commit/e7d46cfc36d0a45a99c7dd598a455e0556d9f4b5
Submitter: Aaron Wells (<email address hidden>)
Branch: master

commit e7d46cfc36d0a45a99c7dd598a455e0556d9f4b5
Author: Aaron Wells <email address hidden>
Date: Thu Nov 6 19:08:28 2014 +1300

Make Cookie Consent set the "secure" flag over HTTPS

Bug 1384009

Change-Id: I4b29a6de4d0ccb9970b909adc8382d842cc8a1c8

Aaron Wells (u-aaronw) wrote :

Robert,

Can you please "publish" your draft change https://reviews.mahara.org/#/c/3898/2 ? I've marked this as a "public security" bug, so there's no need to keep the patch secret now.

Cheers,
Aaron

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3898
Committed: http://gitorious.org/mahara/mahara/commit/dfbb1197e82e478f04952d62a9a1bf5333bfe559
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit dfbb1197e82e478f04952d62a9a1bf5333bfe559
Author: Robert Lyon <email address hidden>
Date: Mon Nov 3 13:39:27 2014 +1300

Cookie lacking "secure" flag for HTTPS sites (Bug #1384009)

Change-Id: I1a175c9eba4acea2902bbbd10050322eaff69cf5
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/3966

Mahara Bot (dev-mahara) wrote :

Patch for "1.8_STABLE" branch: https://reviews.mahara.org/3967

Reviewed: https://reviews.mahara.org/3967
Committed: http://gitorious.org/mahara/mahara/commit/9268eb858f6c27eaf7e119e8594cea278c7fa82d
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.8_STABLE

commit 9268eb858f6c27eaf7e119e8594cea278c7fa82d
Author: Robert Lyon <email address hidden>
Date: Mon Nov 3 13:39:27 2014 +1300

Cookie lacking "secure" flag for HTTPS sites (Bug #1384009)

Change-Id: I1a175c9eba4acea2902bbbd10050322eaff69cf5
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3966
Committed: http://gitorious.org/mahara/mahara/commit/d9af551ce0d9ab1641259fbe010a468d206417d0
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.9_STABLE

commit d9af551ce0d9ab1641259fbe010a468d206417d0
Author: Robert Lyon <email address hidden>
Date: Mon Nov 3 13:39:27 2014 +1300

Cookie lacking "secure" flag for HTTPS sites (Bug #1384009)

Change-Id: I1a175c9eba4acea2902bbbd10050322eaff69cf5
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3965
Committed: http://gitorious.org/mahara/mahara/commit/71c08f65b8ca5648ceec5dfb332934924f2de8f9
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.10_STABLE

commit 71c08f65b8ca5648ceec5dfb332934924f2de8f9
Author: Robert Lyon <email address hidden>
Date: Mon Nov 3 13:39:27 2014 +1300

Cookie lacking "secure" flag for HTTPS sites (Bug #1384009)

Change-Id: I1a175c9eba4acea2902bbbd10050322eaff69cf5
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Patch for "1.10_STABLE" branch: https://reviews.mahara.org/3969

Reviewed: https://reviews.mahara.org/3968
Committed: http://gitorious.org/mahara/mahara/commit/5210bfb12548b13000db33292d4649e07c565615
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.9_STABLE

commit 5210bfb12548b13000db33292d4649e07c565615
Author: Aaron Wells <email address hidden>
Date: Thu Nov 6 19:08:28 2014 +1300

Make Cookie Consent set the "secure" flag over HTTPS

Bug 1384009

Change-Id: I4b29a6de4d0ccb9970b909adc8382d842cc8a1c8

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3969
Committed: http://gitorious.org/mahara/mahara/commit/7c6f8fdfc573befda0a91b434e2ccec3f2c99920
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.10_STABLE

commit 7c6f8fdfc573befda0a91b434e2ccec3f2c99920
Author: Aaron Wells <email address hidden>
Date: Thu Nov 6 19:08:28 2014 +1300

Make Cookie Consent set the "secure" flag over HTTPS

Bug 1384009

Change-Id: I4b29a6de4d0ccb9970b909adc8382d842cc8a1c8

Aaron Wells (u-aaronw) wrote :

Because Cookie Consent doesn't have a public bug tracker anywhere, I sent them an email to share the patch https://reviews.mahara.org/3939 back upstream.

Although I suppose for general-purpose Cookie Consent use, they probably won't want to upstream that patch. Since Cookie Consent may be used on mixed-content sites, in which it would actually be preferrably *not* to have the "secure" flag set.

Robert Lyon (robertl-9) on 2015-04-17
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers