https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292016-01-11T23:39:06ZRedmineRedmine - Feature #21697: Set secure flag of the session cookie depending on original requesthttps://www.redmine.org/issues/21697?journal_id=684712016-01-11T23:39:06ZGo MAEDA
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li><li><strong>Resolution</strong> set to <i>Duplicate</i></li></ul><p>Fixed by <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Set autologin cookie as secure by default when using https (Closed)" href="https://www.redmine.org/issues/20935">#20935</a>. Please try Redmine 3.2.0.</p> Redmine - Feature #21697: Set secure flag of the session cookie depending on original requesthttps://www.redmine.org/issues/21697?journal_id=684732016-01-11T23:40:21ZGo MAEDA
<ul><li><strong>Is duplicate of</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/20935">Feature #20935</a>: Set autologin cookie as secure by default when using https</i> added</li></ul> Redmine - Feature #21697: Set secure flag of the session cookie depending on original requesthttps://www.redmine.org/issues/21697?journal_id=684762016-01-11T23:44:28ZAnonymous
<ul></ul><p>The issue <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Set autologin cookie as secure by default when using https (Closed)" href="https://www.redmine.org/issues/20935">#20935</a> doesn't seem to fix _redmine_session cookie.</p> Redmine - Feature #21697: Set secure flag of the session cookie depending on original requesthttps://www.redmine.org/issues/21697?journal_id=684772016-01-11T23:45:59ZGo MAEDA
<ul><li><strong>Status</strong> changed from <i>Closed</i> to <i>Reopened</i></li></ul> Redmine - Feature #21697: Set secure flag of the session cookie depending on original requesthttps://www.redmine.org/issues/21697?journal_id=684782016-01-11T23:46:36ZGo MAEDA
<ul><li><strong>Is duplicate of</strong> deleted (<i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/20935">Feature #20935</a>: Set autologin cookie as secure by default when using https</i>)</li></ul> Redmine - Feature #21697: Set secure flag of the session cookie depending on original requesthttps://www.redmine.org/issues/21697?journal_id=684802016-01-11T23:46:47ZGo MAEDA
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/20935">Feature #20935</a>: Set autologin cookie as secure by default when using https</i> added</li></ul> Redmine - Feature #21697: Set secure flag of the session cookie depending on original requesthttps://www.redmine.org/issues/21697?journal_id=684822016-01-11T23:47:02ZGo MAEDA
<ul><li><strong>Resolution</strong> deleted (<del><i>Duplicate</i></del>)</li></ul> Redmine - Feature #21697: Set secure flag of the session cookie depending on original requesthttps://www.redmine.org/issues/21697?journal_id=685052016-01-12T09:19:41ZMahesha Matharage
<ul></ul><p>This issue cannot simulate in the Dev environment.</p> Redmine - Feature #21697: Set secure flag of the session cookie depending on original requesthttps://www.redmine.org/issues/21697?journal_id=685202016-01-12T22:53:56ZAnonymous
<ul></ul><a name="Steps-to-simulate-task"></a>
<h3 >Steps to simulate task<a href="#Steps-to-simulate-task" class="wiki-anchor">¶</a></h3>
<ol>
<li>Set up redmine on host A, HTTP-port 80</li>
<li>Set up reverse proxy on host B, SSL-port 443</li>
<li>Get Redmine page via address <a class="external" href="http://A/redmine">http://A/redmine</a></li>
<li>Get Redemin page via address <a class="external" href="https://B/redmine">https://B/redmine</a></li>
</ol>
<a name="Desired-behaviour"></a>
<h3 >Desired behaviour<a href="#Desired-behaviour" class="wiki-anchor">¶</a></h3>
<ol>
<li>Browser receives header <code>Set-Cookie: _redmine_session=...--...; path=/redmine/</code> from domain A</li>
<li>Browser receives header <code>Set-Cookie: _redmine_session=...--...; path=/redmine/; secure; HttpOnly</code> from domain B</li>
</ol> Redmine - Feature #21697: Set secure flag of the session cookie depending on original requesthttps://www.redmine.org/issues/21697?journal_id=823812017-11-30T15:55:55ZToshi MARUYAMA
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/82381/diff?detail_id=65094">diff</a>)</li></ul> Redmine - Feature #21697: Set secure flag of the session cookie depending on original requesthttps://www.redmine.org/issues/21697?journal_id=1094422023-03-03T03:45:22ZGo MAEDA
<ul></ul><p>You can set secure attribute to the cookie by adding the following line to config/additional_environments.rb to force access over HTTPS.</p>
<pre>
config.force_ssl = true if Rails.env.production?
</pre> Redmine - Feature #21697: Set secure flag of the session cookie depending on original requesthttps://www.redmine.org/issues/21697?journal_id=1103942023-07-04T15:03:42ZPopa Marius
<ul></ul><p>Needs to be added to redmine site too</p>
<p><a class="external" href="https://observatory.mozilla.org/analyze/redmine.org">https://observatory.mozilla.org/analyze/redmine.org</a></p>
<pre>
Session cookie set without using the Secure flag or set over HTTP
</pre>