プロジェクト

全般

プロフィール

編集 操作
リンクをコピー

Vote #77090

未完了

Set secure flag of the session cookie depending on original request

Admin Redmine さんが約2年前に追加. 約2年前に更新.

ステータス:
Reopend
優先度:
通常
担当者:
-
カテゴリ:
Security_51
対象バージョン:
-
開始日:
2022/05/09
期日:
進捗率:

0%

予定工数:
Redmineorg_URL:
https://www.redmine.org/issues/21697
category_id:
51
version_id:
0
issue_org_id:
21697
author_id:
4
assigned_to_id:
0
comments:
10
status_id:
8
tracker_id:
2
plus1:
0
affected_version:
closed_on:
affected_version_id:
ステータス-->[Reopend]
引用

説明

The default configuration of redmine sends session cookie open for any connection type. This allows an attacker to steal the session cookie and access one's redmine session.

It is possible to secure the cookie by changing the option in application.rb file.


config.session_store :cookie_store, :key => '_redmine_session', :secure => true

But this will prevent users from accessing system via plain HTTP protocol in local network.

Let Redmine set secure cookie flag depending on request scheme and X-Forwarded-Proto HTTP-header.

journals

Fixed by #20935. Please try Redmine 3.2.0.
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
The issue #20935 doesn't seem to fix _redmine_session cookie.
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
This issue cannot simulate in the Dev environment.
--------------------------------------------------------------------------------
h3. Steps to simulate task

# Set up redmine on host A, HTTP-port 80
# Set up reverse proxy on host B, SSL-port 443
# Get Redmine page via address http://A/redmine
# Get Redemin page via address https://B/redmine

h3. Desired behaviour

# Browser receives header @Set-Cookie: _redmine_session=...--...; path=/redmine/@ from domain A
# Browser receives header @Set-Cookie: _redmine_session=...--...; path=/redmine/; secure; HttpOnly@ from domain B
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

related_issues

relates,Closed,20935,Set autologin cookie as secure by default when using https

操作
リンクをコピー
 #1

Admin Redmine さんが約2年前に更新

  • カテゴリSecurity_51 にセット
編集 操作
リンクをコピー

他の形式にエクスポート: Atom PDF

いいね!0
いいね!0

demo1.unofficial-redmine.org