|
In-Portal Issue Tracker - In-Portal CMS
|
|
Viewing Issue Advanced Details |
|
|
ID:
|
Category:
|
Type:
|
Reproducibility:
|
Date Submitted:
|
Last Update:
|
|
48 |
[In-Portal CMS] Security |
bug report |
always |
2009-06-07 06:06 |
2010-01-12 11:06 |
|
|
Reporter:
|
alex |
Platform:
|
|
|
|
Assigned To:
|
Dmitry |
OS:
|
|
|
|
Priority:
|
normal |
OS Version:
|
|
|
|
Status:
|
closed |
Product Version:
|
5.0.0 |
|
|
Product Build:
|
|
Resolution:
|
fixed |
|
| |
|
ETA:
|
none |
Fixed in Version:
|
5.1.0 |
|
|
Reference:
|
|
|
Change Log Message:
|
|
|
Estimate Points:
|
0 |
|
|
Summary:
|
0000048: Cookies are Set in non-SSL mode for SSL connections |
|
Description:
|
When secure connection to server is established (url like "https://..."), then cookies should be set with "secure" parameter given to "setcookie" function. This doesn't happen. Maybe today this works because of insecurely set cookies are also available in secure connection.
|
|
Steps To Reproduce:
|
|
|
Additional Information:
|
|
| Relationships | |
|
Attached Files:
|
|
|
|
Issue History |
|
Date Modified |
Username |
Field |
Change |
|
2010-01-12 11:06 |
alex |
Note Added: 0001409 |
|
|
2010-01-12 11:06 |
alex |
Status |
needs feedback => closed |
|
2010-01-12 11:06 |
alex |
Resolution |
open => fixed |
|
2010-01-12 11:06 |
alex |
Fixed in Version |
=> 5.1.0 |
|
2009-08-03 15:44 |
Dmitry |
Note Added: 0000222 |
|
|
2009-08-03 15:44 |
Dmitry |
Target Version |
5.0.1 => 5.1.0 |
|
2009-06-09 02:52 |
alex |
Note Added: 0000046 |
|
|
2009-06-09 02:52 |
alex |
Status |
reviewed and tested => needs feedback |
|
2009-06-07 17:17 |
Dmitry |
Assigned To |
=> Dmitry |
|
2009-06-07 17:17 |
Dmitry |
Note Added: 0000034 |
|
|
2009-06-07 17:17 |
Dmitry |
Assigned To |
alex => |
|
2009-06-07 17:17 |
Dmitry |
Target Version |
5.0.0 => 5.0.1 |
|
2009-06-07 17:17 |
Dmitry |
Summary |
Cookies are sent in insecure way during secure connection => Cookies are Set in non-SSL mode for SSL connections |
|
2009-06-07 17:12 |
Dmitry |
Assigned To |
=> alex |
|
2009-06-07 17:12 |
Dmitry |
Status |
active => reviewed and tested |
|
2009-06-07 17:12 |
Dmitry |
Target Version |
=> 5.0.0 |
|
2009-06-07 06:06 |
alex |
Category |
(No Category) => Security |
|
2009-06-07 06:06 |
alex |
New Issue |
|
|
Notes |
|
|
(0000034)
|
|
Dmitry
|
|
2009-06-07 17:17
|
|
|
|
|
(0000046)
|
|
alex
|
|
2009-06-09 02:52
|
|
|
It looks like it works exactly as I've suspected. And still should we do something about it in our case? Only place when we have SSL<->NON-SSL redirects is Front-End and there SessionKey is passed in GET and no cookies are used. |
|
|
|
(0000222)
|
|
Dmitry
|
|
2009-08-03 15:44
|
|
|
We need more details on this. How can be affects the site. |
|
|
|
(0001409)
|
|
alex
|
|
2010-01-12 11:06
|
|
This is no longer issue, because I've determined case, when we actually use cookie set in non-ssl mode on ssl connection and via versa.
This is case, when whole website is in non-ssl mode, but login page is. |
|