Reviewed: https://reviews.mahara.org/3967 Committed: http://gitorious.org/mahara/mahara/commit/9268eb858f6c27eaf7e119e8594cea278c7fa82d Submitter: Robert Lyon ([email protected]) Branch: 1.8_STABLE
commit 9268eb858f6c27eaf7e119e8594cea278c7fa82d Author: Robert Lyon <[email protected]> Date: Mon Nov 3 13:39:27 2014 +1300 Cookie lacking "secure" flag for HTTPS sites (Bug #1384009) Change-Id: I1a175c9eba4acea2902bbbd10050322eaff69cf5 Signed-off-by: Robert Lyon <[email protected]> -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1384009 Title: Cookie lacking "secure" flag for HTTPS sites Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.10 series: New Status in Mahara 1.8 series: New Status in Mahara 1.9 series: New Status in Mahara 15.04 series: Fix Committed Bug description: The cookie "lastinstitution" that we use to show the proper institution theme to logged-out users, does not properly use the "secure" attribute for sites that are using HTTPS. This means it's possible for the cookie's contents to be obtained via non-HTTPS. Not a huge thing, since its use is somewhat limited in scope, and the "lastinstitution" data is not very sensitive, but it would be good to use it. While we're at it, we might also want to check on the (much more important) PHP session cookie. This can be set at the server level, but we could also check for it in PHP. See http://stackoverflow.com/questions/6821883/set-httponly-and-secure-on- phpsessid-cookie-in-php for details on that. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1384009/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
