Hi,

We discovered a small issue today in sfSessionStorage.

If you set in the factories.yml that the session cookie must be secure
only, it is still sent to the user when they access the website via a
non-secure connection. This causes problems, and I don't believe it's
correct.

-- Example

The user accesses a symfony website via HTTP. This website has cookies
set to secure and is running the sfSslRequirementPlugin.

The plugin detects that the website should run over SSL and sends a
redirect. At this point, the session cookie is also sent back with
this redirect response. It is marked as secure, but it sends it to the
user over HTTP.

When the user accesses the website via SSL, everything is fine, they
send the session and everything OK.

If the same user opened up a new tab and typed in the same initial URL
again accessing the site over HTTP, not HTTPS, the cookie is NOT sent
back to the website as it is marked as secure. At this point, the
website thinks it is a new user and issues a new session cookie with
the redirect response. When the user is redirected to HTTPS, the new
session cookie is sent, and they are logged out of the website for
example as they have a new session.

There is also the obvious flaw that the session ID is sent over HTTP
and can be intercepted.

-- Proposed Solution

A check should be made in sfSessionStorage so that if the session
cookie is marked as secure, it is not sent back to the user over HTTP
to the user. This check can wrap the session_start() on line 93
(1.4.4).

What do you guys think?

-- 
If you want to report a vulnerability issue on symfony, please send it to 
security at symfony-project.com

You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en

Reply via email to