Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Cookies should be set as 'secure' over SSL #1756
Reported by mkj on 11 Sep 2008 15:57 UTC as Trac ticket #1485336
Even if a website is set up using SSL, an active attacker can steal cookies unless the cookies have been set 'secure' - see http://fscked.org/blog/fully-automated-active-https-cookie-hijacking
Roundcube doesn't set cookies as secure. It looks like the only place that needs changing is the second setcookie() in
might be the way to go? (I haven't used PHP much so am guessing from the docs).
Comment by robin on 12 Sep 2008 06:48 UTC
I have no test-RC running over https so cannot test that. Over http this doesn't have any impact.
Comment by mkj on 12 Sep 2008 17:32 UTC
I've tested that patch here (with roundcube 0.1.1 though) and it sets the logged-in sessionid cookie as secure, but doesn't set the initial pre-login session cookie as secure. I'm not sure if that really matters though? Does the pre-login session cookie get used for anything?
session_set_cookie_params() could be used to setup the initial cookie as secure I think.