Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When using HTTPS, secure cookie to prevent potential weakness #3066

Closed
kim-fitness opened this issue Nov 4, 2019 · 1 comment
Closed

When using HTTPS, secure cookie to prevent potential weakness #3066

kim-fitness opened this issue Nov 4, 2019 · 1 comment
Labels
bug Undesired behaviour resolved A fixed issue SECURITY A security issue reported through CVE
Milestone

Comments

@kim-fitness
Copy link
Contributor

Describe the bug
The Set-Cookie does not contains secure flag, which is considered as CWE of "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", reference link as below,
http://cwe.mitre.org/data/definitions/614.html

To Reproduce
Steps to reproduce the behavior:

  1. Go to 'login' page
  2. Click on 'Keep me signed in' and then do login
  3. See the Set-Cookie in http response header of calling index.php by HTTP POST
  4. There is no secure flag.

Expected behavior
Need secure flag for Set-Cookie.
The attached picture shows the correct behavior after I fixed this issue.

Screenshots
If applicable, add screenshots to help explain your problem.
Screen Shot 2019-11-04 at 4 27 47 PM

Desktop (please complete the following information):

  • OS: [e.g. iOS]
  • Browser [e.g. chrome, safari]
  • Version [e.g. 22]

Smartphone (please complete the following information):

  • Device: [e.g. iPhone6]
  • OS: [e.g. iOS8.1]
  • Browser [e.g. stock browser, safari]
  • Version [e.g. 22]

Additional context
Add any other context about the problem here.

netniV pushed a commit that referenced this issue Nov 8, 2019
* Update global.php

* Update auth.php

* Update CHANGELOG
cigamit added a commit that referenced this issue Nov 9, 2019
This was merged into develop, but due to it being security related, we will include it in the 1.2.8
@cigamit cigamit added bug Undesired behaviour resolved A fixed issue SECURITY A security issue reported through CVE labels Nov 9, 2019
@cigamit cigamit added this to the v1.2.8 milestone Nov 9, 2019
@cigamit
Copy link
Member

cigamit commented Nov 9, 2019

Closing. Thanks for your contribution.

@cigamit cigamit closed this as completed Nov 9, 2019
@netniV netniV changed the title Need to add secure flag to cookie when HTTPS is enabled When using HTTPS, secure cookie to prevent potential weakness Dec 7, 2019
@github-actions github-actions bot locked and limited conversation to collaborators Jun 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Undesired behaviour resolved A fixed issue SECURITY A security issue reported through CVE
Projects
None yet
Development

No branches or pull requests

2 participants