Moin should return 'secure' cookies.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Moin OpenID module |
New
|
Undecided
|
Unassigned |
Bug Description
Overview:
If a user currently has a MoinMoin cookie and make a request to a wiki using HTTP (unencrypted), the cookie will be transmitted over the unencrypted connection. The web server will redirect the request (301) to the HTTPS site (encrypted) and any further requests (with the auth cookie) will be encrypted.
The seriousness of this issue may debated.
Solution:
Modern web browsers support "secure" cookies. If the web server returns a cookie with the 'secure' field, then browser will only send the cookie if the connection is encrypted [1].
See attached patch (backport from 1.7)
Of course this ignores any XSS which may be exploited to steal the cookie (which supporting http only cookies may help).
[1] This is not necessarily true. The browser (not the server) determines how secure the connection should be. This may include encryption, but not necessarily.
affects: | canonical-bis-openid → moin-openid |