[Bug 25360] New: Use secure flag for CGISESSID cookie
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25360 Bug ID: 25360 Summary: Use secure flag for CGISESSID cookie Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: dcook@prosentient.com.au QA Contact: testopia@bugs.koha-community.org We should consider setting the "secure" flag for the CGISESSID cookie (https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnl...), so that it can only be sent to the server from the browser over HTTPS. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25360 --- Comment #1 from David Cook <dcook@prosentient.com.au> --- I'm debating with myself how best to implement it. On one hand, requiring a cookie to be sent over HTTPS could make legitimate automated testing harder/impossible, and not everyone necessarily has access to HTTPS (although the latter is less common all the time). Here's some thoughts: 1) Use a system preference to force it 2) Try reading $type and relevant *BaseURL system preference to determine whether a HTTP or HTTPS URL is defined (since we can't reliably determine HTTP vs HTTPS for proxied connections unless we used a header like X-Forwarded-Proto) That's about it for ideas right now. But open to other people's ideas. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25360 --- Comment #2 from David Cook <dcook@prosentient.com.au> --- Actually, it looks like Bug 21267 adds support for X-Forwarded-Proto for Plack-enabled Koha. I think for now I'll write this patch using $ENV->{HTTPS}, which will only work for Plack-enabled Koha, and I'll use Bug 25361 to add support for X-Forwarded-Proto to CGI Koha... -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25360 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff Patch complexity|--- |Small patch -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25360 --- Comment #3 from David Cook <dcook@prosentient.com.au> --- Created attachment 104244 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=104244&action=edit Bug 25360: Use secure flag for CGISESSID cookie when using HTTPS This patch adds the secure flag to the CGISESSID cookie when using HTTPS. This prevents the cookie being used again over a normal HTTP request. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25360 --- Comment #4 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #2)
Actually, it looks like Bug 21267 adds support for X-Forwarded-Proto for Plack-enabled Koha.
I think for now I'll write this patch using $ENV->{HTTPS}, which will only work for Plack-enabled Koha, and I'll use Bug 25361 to add support for X-Forwarded-Proto to CGI Koha...
On a CGI Koha, I just added the following to Apache: SetEnvIf X-Forwarded-Proto "https" HTTPS=on Of course, I also had to set X-Forwarded-Proto on my reverse proxy in order to get it to work. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25360 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |dcook@prosentient.com.au |ity.org | --- Comment #5 from David Cook <dcook@prosentient.com.au> --- Test Plan: 1) Apply patch 2) Login to your Koha site using HTTPS 3) Note a successful login 4) Login to your Koha site using HTTP 5) Note that your session isn't recognized when using HTTP 6) Reload the page on your HTTPS Koha 7) Note that your session is still recognized when using HTTPS -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25360 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@bugs.koha-c | |ommunity.org --- Comment #6 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- *** Bug 19571 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25360 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Product|Koha security |Koha Status|Passed QA |Pushed to oldoldstable Group|Koha security | Component|Koha |Architecture, internals, | |and plumbing Version|unspecified |master --- Comment #37 from Lucas Gass <lucas@bywatersolutions.com> --- backported to 20.05.x for 20.05.03 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25360 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|RM_priority | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25360 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|19.05.14, 19.11.09 |20.11.00, 20.05.03, released in| |19.11.09, 19.05.14 --- Comment #38 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Pushed to master for 20.11, thanks to everybody involved! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25360 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=29791 -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org