[dev.icinga.com #11187] Session cookie: Path too broad and unset secure flag on HTTPS #2307
This issue has been migrated from Redmine: https://dev.icinga.com/issues/11187
Created by elabedzki on 2016-02-18 16:03:18 +00:00
Protected should be yes because if the path "/ icingaweb2 /" or whatever is called, is yes certainly "/ foobar /", which presumably. will collide.
2016-02-26 13:26:10 +00:00 by aklimov f46f10d
2016-02-26 14:49:05 +00:00 by aklimov 5b86493
2016-02-26 15:22:18 +00:00 by aklimov 8132d95
2016-02-26 17:03:02 +00:00 by aklimov a790b4d
2016-02-26 17:05:59 +00:00 by aklimov 05ef689
2016-02-27 21:17:01 +00:00 by aklimov 923e902
2016-02-27 21:19:37 +00:00 by elippmann 5f64287
2016-02-27 21:24:01 +00:00 by elippmann 5f43ac8
2016-02-27 21:42:32 +00:00 by elippmann 03d7f3a
2016-02-27 21:47:20 +00:00 by elippmann 25f5969
The text was updated successfully, but these errors were encountered:
Updated by tgelf on 2016-02-18 17:45:07 +00:00
I can confirm this, the current behaviour is not acceptable. We tried to do the right thing and badly failed :p
Icinga\Web\Cookie takes care about this, in theory. It uses secure for HTTPS as a default and allows config to override this (sometimes important for installation behind proxies). However, this method has a bug and returns the wrong value. Even worse, the corresponding code is nonetheless not used for our cookies as of the following reasons:
It's incorrect and always used to be. Should be fixed, a config setting should allow to override the auto-detected path.
Please implement a test that greps our whole codebase for setcookie. It should not be allowed anywhere but in library/Icinga/Web/Response.php and in library/Icinga/Web/Session/PhpSession.php.