_redmine_session cookie security flaw
|Category:||Accounts / authentication|
Once logged in redmine , simply look for the cookie is generated and then use it to log in from another browser, without knowing your user name and password . It's a big security breach because anyone with access to copy the cookie , you can logging of that user without any approval of the person and without being detected.
#1 Updated by Ieuan Jenkins about 7 years ago
If you can access a user's cookie, you'd probably have access to the credentials they posted to authenticate as well.
You should be enabling the HTTPS protocol option in the Redmine administration menu which then ensures the
_redmine_session cookie is a secure cookie and cannot be intercepted.
#2 Updated by Toshi MARUYAMA about 7 years ago
- Status changed from New to Needs feedback
I think it is Rails mater not Redmine.
config.session_store :cookie_store, :key => '_redmine_session'
config.session_store :cookie_store, :key => '_redmine_session', :secure => true
#3 Updated by Marcelo Dalmao about 7 years ago
Thank you for your answers. The first do not think this solves the problem , but I'll try both and tell them whether or not addressed.
I explain a little better what probe done, for example we have a redmine is redmine.com , and a project called X, entered from any browser with a valid user, and access to project X. By accessing saved the contents of the cookie for use in another browser.
Open a new browser screen enter Loguin , then loaded cookie previously obtained in the new browser with content that had copied . Once you do this directly access a project X, without entering username and password.