Mahara

Cookie lacking "secure" flag for HTTPS sites

Bug #1384009 reported by Aaron Wells on 2014-10-22

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	Low	Robert Lyon	Mahara 15.04.0
1.10	Fix Released	Low	Unassigned	Mahara 1.10.1
1.8	Fix Released	Low	Unassigned	Mahara 1.8.6
1.9	Fix Released	Low	Unassigned	Mahara 1.9.4
15.04	Fix Released	Low	Robert Lyon	Mahara 15.04.0

Bug Description

The cookie "lastinstitution" that we use to show the proper institution theme to logged-out users, does not properly use the "secure" attribute for sites that are using HTTPS. This means it's possible for the cookie's contents to be obtained via non-HTTPS.

Not a huge thing, since its use is somewhat limited in scope, and the "lastinstitution" data is not very sensitive, but it would be good to use it.

While we're at it, we might also want to check on the (much more important) PHP session cookie. This can be set at the server level, but we could also check for it in PHP. See http://stackoverflow.com/questions/6821883/set-httponly-and-secure-on-phpsessid-cookie-in-php for details on that.

CVE References

2014-8693

Revision history for this message

Robert Lyon (robertl-9) wrote on 2014-11-03:

By the looks of things the htdocs/auth/session.php file has the secure flag set if_https() returns true on line 31.

However the set_cookie() function in lib/web.php and the cookieconsent javascript plugin needed to allow for the 'secure' flag

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2014-11-06: A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/3938

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2014-11-06:

Patch for "master" branch: https://reviews.mahara.org/3939

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2014-11-06:

I just uploaded some patches for this... but then I noticed that Robert already uploaded some patches as well!

Here's mine:
https://reviews.mahara.org/3938
https://reviews.mahara.org/3939

Here's Robert's:
https://reviews.mahara.org/#/c/3898
https://reviews.mahara.org/#/c/3899

information type:

Private Security → Public Security

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2014-11-11: A change has been merged

Reviewed: https://reviews.mahara.org/3939
Committed: http://gitorious.org/mahara/mahara/commit/e7d46cfc36d0a45a99c7dd598a455e0556d9f4b5
Submitter: Aaron Wells (<email address hidden>)
Branch: master

commit e7d46cfc36d0a45a99c7dd598a455e0556d9f4b5
Author: Aaron Wells <email address hidden>
Date: Thu Nov 6 19:08:28 2014 +1300

Make Cookie Consent set the "secure" flag over HTTPS

Bug 1384009

Change-Id: I4b29a6de4d0ccb9970b909adc8382d842cc8a1c8

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2014-11-11:

Robert,

Can you please "publish" your draft change https://reviews.mahara.org/#/c/3898/2 ? I've marked this as a "public security" bug, so there's no need to keep the patch secret now.

Cheers,
Aaron

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2014-11-11:

Reviewed: https://reviews.mahara.org/3898
Committed: http://gitorious.org/mahara/mahara/commit/dfbb1197e82e478f04952d62a9a1bf5333bfe559
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit dfbb1197e82e478f04952d62a9a1bf5333bfe559
Author: Robert Lyon <email address hidden>
Date: Mon Nov 3 13:39:27 2014 +1300

Cookie lacking "secure" flag for HTTPS sites (Bug #1384009)

Change-Id: I1a175c9eba4acea2902bbbd10050322eaff69cf5
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2014-11-11: A patch has been submitted for review

Patch for "1.10_STABLE" branch: https://reviews.mahara.org/3965

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2014-11-11:

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/3966

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2014-11-11:

#10

Patch for "1.8_STABLE" branch: https://reviews.mahara.org/3967

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2014-11-11: A change has been merged

#11

Reviewed: https://reviews.mahara.org/3967
Committed: http://gitorious.org/mahara/mahara/commit/9268eb858f6c27eaf7e119e8594cea278c7fa82d
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.8_STABLE

commit 9268eb858f6c27eaf7e119e8594cea278c7fa82d
Author: Robert Lyon <email address hidden>
Date: Mon Nov 3 13:39:27 2014 +1300

Cookie lacking "secure" flag for HTTPS sites (Bug #1384009)

Change-Id: I1a175c9eba4acea2902bbbd10050322eaff69cf5
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2014-11-11:

#12

Reviewed: https://reviews.mahara.org/3966
Committed: http://gitorious.org/mahara/mahara/commit/d9af551ce0d9ab1641259fbe010a468d206417d0
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.9_STABLE

commit d9af551ce0d9ab1641259fbe010a468d206417d0
Author: Robert Lyon <email address hidden>
Date: Mon Nov 3 13:39:27 2014 +1300

Cookie lacking "secure" flag for HTTPS sites (Bug #1384009)

Change-Id: I1a175c9eba4acea2902bbbd10050322eaff69cf5
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2014-11-11:

#13

Reviewed: https://reviews.mahara.org/3965
Committed: http://gitorious.org/mahara/mahara/commit/71c08f65b8ca5648ceec5dfb332934924f2de8f9
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.10_STABLE

commit 71c08f65b8ca5648ceec5dfb332934924f2de8f9
Author: Robert Lyon <email address hidden>
Date: Mon Nov 3 13:39:27 2014 +1300

Cookie lacking "secure" flag for HTTPS sites (Bug #1384009)

Change-Id: I1a175c9eba4acea2902bbbd10050322eaff69cf5
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2014-11-11: A patch has been submitted for review

#14

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/3968

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2014-11-11:

#15

Patch for "1.10_STABLE" branch: https://reviews.mahara.org/3969

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2014-11-11: A change has been merged

#16

Reviewed: https://reviews.mahara.org/3968
Committed: http://gitorious.org/mahara/mahara/commit/5210bfb12548b13000db33292d4649e07c565615
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.9_STABLE

commit 5210bfb12548b13000db33292d4649e07c565615
Author: Aaron Wells <email address hidden>
Date: Thu Nov 6 19:08:28 2014 +1300

Make Cookie Consent set the "secure" flag over HTTPS

Bug 1384009

Change-Id: I4b29a6de4d0ccb9970b909adc8382d842cc8a1c8

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2014-11-11:

#17

Reviewed: https://reviews.mahara.org/3969
Committed: http://gitorious.org/mahara/mahara/commit/7c6f8fdfc573befda0a91b434e2ccec3f2c99920
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.10_STABLE

commit 7c6f8fdfc573befda0a91b434e2ccec3f2c99920
Author: Aaron Wells <email address hidden>
Date: Thu Nov 6 19:08:28 2014 +1300

Make Cookie Consent set the "secure" flag over HTTPS

Bug 1384009

Change-Id: I4b29a6de4d0ccb9970b909adc8382d842cc8a1c8

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2014-11-11:

#18

Because Cookie Consent doesn't have a public bug tracker anywhere, I sent them an email to share the patch https://reviews.mahara.org/3939 back upstream.

Although I suppose for general-purpose Cookie Consent use, they probably won't want to upstream that patch. Since Cookie Consent may be used on mixed-content sites, in which it would actually be preferrably *not* to have the "secure" flag set.

Robert Lyon (robertl-9) on 2015-04-17

Changed in mahara:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.