Defect #19581

_redmine_session cookie security flaw

Added by Marcelo Dalmao about 7 years ago. Updated about 7 years ago.

Status:ClosedStart date:
Priority:HighDue date:
Assignee:-% Done:

0%

Category:Accounts / authentication
Target version:-
Resolution:Invalid Affected version:

Description

Once logged in redmine , simply look for the cookie is generated and then use it to log in from another browser, without knowing your user name and password . It's a big security breach because anyone with access to copy the cookie , you can logging of that user without any approval of the person and without being detected.

History

#1 Updated by Ieuan Jenkins about 7 years ago

If you can access a user's cookie, you'd probably have access to the credentials they posted to authenticate as well.

You should be enabling the HTTPS protocol option in the Redmine administration menu which then ensures the _redmine_session cookie is a secure cookie and cannot be intercepted.

#2 Updated by Toshi MARUYAMA about 7 years ago

  • Status changed from New to Needs feedback

I think it is Rails mater not Redmine.

Try Securing Redmine session cookie: _redmine_session.

source:config/application.rb#L62
From:

config.session_store :cookie_store, :key => '_redmine_session'

To:
config.session_store :cookie_store, :key => '_redmine_session', :secure => true

#3 Updated by Marcelo Dalmao about 7 years ago

Thank you for your answers. The first do not think this solves the problem , but I'll try both and tell them whether or not addressed.

I explain a little better what probe done, for example we have a redmine is redmine.com , and a project called X, entered from any browser with a valid user, and access to project X. By accessing saved the contents of the cookie for use in another browser.

Open a new browser screen enter Loguin , then loaded cookie previously obtained in the new browser with content that had copied . Once you do this directly access a project X, without entering username and password.

#4 Updated by Toshi MARUYAMA about 7 years ago

Redmine is Rails application.
I think you would better ask Rails community.
http://rubyonrails.org/community/

#5 Updated by Toshi MARUYAMA about 7 years ago

  • Subject changed from _redmien_session cookie security flaw to _redmine_session cookie security flaw

#6 Updated by Jean-Philippe Lang about 7 years ago

  • Status changed from Needs feedback to Closed
  • Resolution set to Invalid

This is called session hijacking and it's not a Redmine or Rails security flow. That's why you should really encrypt your HTTP traffic.

Also available in: Atom PDF