Project

General

Profile

Actions
Copy link

Feature #21697

open

Set secure flag of the session cookie depending on original request

Added by Anonymous over 9 years ago. Updated about 2 years ago.

Status:
Reopened
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:

Description

The default configuration of redmine sends session cookie open for any connection type. This allows an attacker to steal the session cookie and access one's redmine session.

It is possible to secure the cookie by changing the option in application.rb file.

config.session_store :cookie_store, :key => '_redmine_session', :secure => true

But this will prevent users from accessing system via plain HTTP protocol in local network.

Let Redmine set secure cookie flag depending on request scheme and X-Forwarded-Proto HTTP-header.

Related issues

Related to Redmine - Feature #20935: Set autologin cookie as secure by default when using httpsClosedJean-Philippe Lang

Actions
Actions
Copy link
 #1

Updated by Go MAEDA over 9 years ago

  • Status changed from New to Closed
  • Resolution set to Duplicate

Fixed by #20935. Please try Redmine 3.2.0.

Actions
Copy link
 #2

Updated by Go MAEDA over 9 years ago

  • Is duplicate of Feature #20935: Set autologin cookie as secure by default when using https added
Actions
Copy link
 #3

Updated by Anonymous over 9 years ago

The issue #20935 doesn't seem to fix _redmine_session cookie.

Actions
Copy link
 #4

Updated by Go MAEDA over 9 years ago

  • Status changed from Closed to Reopened
Actions
Copy link
 #5

Updated by Go MAEDA over 9 years ago

  • Is duplicate of deleted (Feature #20935: Set autologin cookie as secure by default when using https)
Actions
Copy link
 #6

Updated by Go MAEDA over 9 years ago

  • Related to Feature #20935: Set autologin cookie as secure by default when using https added
Actions
Copy link
 #7

Updated by Go MAEDA over 9 years ago

  • Resolution deleted (Duplicate)
Actions
Copy link
 #9

Updated by Mahesha Matharage over 9 years ago

This issue cannot simulate in the Dev environment.

Actions
Copy link
 #10

Updated by Anonymous over 9 years ago

Steps to simulate task

  1. Set up redmine on host A, HTTP-port 80
  2. Set up reverse proxy on host B, SSL-port 443
  3. Get Redmine page via address http://A/redmine
  4. Get Redemin page via address https://B/redmine

Desired behaviour

  1. Browser receives header Set-Cookie: _redmine_session=...--...; path=/redmine/ from domain A
  2. Browser receives header Set-Cookie: _redmine_session=...--...; path=/redmine/; secure; HttpOnly from domain B
Actions
Copy link
 #11

Updated by Toshi MARUYAMA over 7 years ago

  • Description updated (diff)
Actions
Copy link
 #12

Updated by Go MAEDA over 2 years ago

You can set secure attribute to the cookie by adding the following line to config/additional_environments.rb to force access over HTTPS.

config.force_ssl = true if Rails.env.production?
Actions
Copy link
 #13

Updated by Popa Marius about 2 years ago

Needs to be added to redmine site too

https://observatory.mozilla.org/analyze/redmine.org

Session cookie set without using the Secure flag or set over HTTP
Actions
Copy link

Also available in: Atom PDF