In-Portal Issue Tracker

Welcome to the In-Portal Open Source CMS Issue Tracker! This is a central management / tracking tool for all types of tasks / issues / bugs for the In-Portal Project. Before reporting any issues, please make sure to read the Guide into Issue Tracker and How to Properly Test and Report Bugs!
Main | My View | View Issues | Change Log | Roadmap | Docs | Wiki | Repositories
  

Viewing Issue Simple Details Jump to Notes ] Wiki ] View Advanced ] Issue History ] Print ]
ID Category Type Reproducibility Date Submitted Last Update
0000048 [In-Portal CMS] Security bug report always 2009-06-07 06:06 2010-01-12 11:06
Reporter alex View Status public Project Name In-Portal CMS
Assigned To Dmitry Developer
Priority normal Resolution fixed Fixed in Version 5.1.0
Status closed Product Version 5.0.0 Target Version 5.1.0
Time EstimateNo estimate
Summary 0000048: Cookies are Set in non-SSL mode for SSL connections
Description When secure connection to server is established (url like "https://..."), then cookies should be set with "secure" parameter given to "setcookie" function. This doesn't happen. Maybe today this works because of insecurely set cookies are also available in secure connection.
Additional Information
Tags No tags attached.
Reference
Change Log Message
Estimate Points 0
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
User avatar (0000034)
Dmitry (manager)
2009-06-07 17:17

 Here is the explanation for this -- http://cookies.lcs.mit.edu/sslflag.html
User avatar (0000046)
alex (manager)
2009-06-09 02:52

 It looks like it works exactly as I've suspected. And still should we do something about it in our case? Only place when we have SSL<->NON-SSL redirects is Front-End and there SessionKey is passed in GET and no cookies are used.
User avatar (0000222)
Dmitry (manager)
2009-08-03 15:44

 We need more details on this. How can be affects the site.
User avatar (0001409)
alex (manager)
2010-01-12 11:06

 This is no longer issue, because I've determined case, when we actually use cookie set in non-ssl mode on ssl connection and via versa.

This is case, when whole website is in non-ssl mode, but login page is.

- Issue History
Date Modified Username Field Change
2010-01-12 11:06 alex Note Added: 0001409
2010-01-12 11:06 alex Status needs feedback => closed
2010-01-12 11:06 alex Resolution open => fixed
2010-01-12 11:06 alex Fixed in Version => 5.1.0
2009-08-03 15:44 Dmitry Note Added: 0000222
2009-08-03 15:44 Dmitry Target Version 5.0.1 => 5.1.0
2009-06-09 02:52 alex Note Added: 0000046
2009-06-09 02:52 alex Status reviewed and tested => needs feedback
2009-06-07 17:17 Dmitry Assigned To => Dmitry
2009-06-07 17:17 Dmitry Note Added: 0000034
2009-06-07 17:17 Dmitry Assigned To alex =>
2009-06-07 17:17 Dmitry Target Version 5.0.0 => 5.0.1
2009-06-07 17:17 Dmitry Summary Cookies are sent in insecure way during secure connection => Cookies are Set in non-SSL mode for SSL connections
2009-06-07 17:12 Dmitry Assigned To => alex
2009-06-07 17:12 Dmitry Status active => reviewed and tested
2009-06-07 17:12 Dmitry Target Version => 5.0.0
2009-06-07 06:06 alex Category (No Category) => Security
2009-06-07 06:06 alex New Issue

Main | My View | View Issues | Change Log | Roadmap | Docs | Wiki | Repositories
  

Web Development by Intechnic
In-Portal Open Source CMS
In-Portal Open Source CMS
Copyright © 2000 - 2009 MantisBT Group

Powered by Mantis Bugtracker