Cookie lacking "secure" flag for HTTPS sites
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Low
|
Robert Lyon | ||
1.10 |
Fix Released
|
Low
|
Unassigned | ||
1.8 |
Fix Released
|
Low
|
Unassigned | ||
1.9 |
Fix Released
|
Low
|
Unassigned | ||
15.04 |
Fix Released
|
Low
|
Robert Lyon |
Bug Description
The cookie "lastinstitution" that we use to show the proper institution theme to logged-out users, does not properly use the "secure" attribute for sites that are using HTTPS. This means it's possible for the cookie's contents to be obtained via non-HTTPS.
Not a huge thing, since its use is somewhat limited in scope, and the "lastinstitution" data is not very sensitive, but it would be good to use it.
While we're at it, we might also want to check on the (much more important) PHP session cookie. This can be set at the server level, but we could also check for it in PHP. See http://
CVE References
Changed in mahara: | |
status: | Fix Committed → Fix Released |
By the looks of things the htdocs/ auth/session. php file has the secure flag set if_https() returns true on line 31.
However the set_cookie() function in lib/web.php and the cookieconsent javascript plugin needed to allow for the 'secure' flag