Feature #21697
Updated by Toshi MARUYAMA over 6 years ago
The default configuration of redmine sends session cookie open for any connection type. This allows an attacker to steal the session cookie and access one's redmine session. It is possible to secure the cookie by changing the option in application.rb file. <pre><code class="ruby"> <pre> config.session_store :cookie_store, :key => '_redmine_session', :secure => true </code></pre> </pre> But this will prevent users from accessing system via plain HTTP protocol in local network. Let Redmine set secure cookie flag depending on request scheme and X-Forwarded-Proto HTTP-header.