Hi, We discovered a small issue today in sfSessionStorage.
If you set in the factories.yml that the session cookie must be secure only, it is still sent to the user when they access the website via a non-secure connection. This causes problems, and I don't believe it's correct. -- Example The user accesses a symfony website via HTTP. This website has cookies set to secure and is running the sfSslRequirementPlugin. The plugin detects that the website should run over SSL and sends a redirect. At this point, the session cookie is also sent back with this redirect response. It is marked as secure, but it sends it to the user over HTTP. When the user accesses the website via SSL, everything is fine, they send the session and everything OK. If the same user opened up a new tab and typed in the same initial URL again accessing the site over HTTP, not HTTPS, the cookie is NOT sent back to the website as it is marked as secure. At this point, the website thinks it is a new user and issues a new session cookie with the redirect response. When the user is redirected to HTTPS, the new session cookie is sent, and they are logged out of the website for example as they have a new session. There is also the obvious flaw that the session ID is sent over HTTP and can be intercepted. -- Proposed Solution A check should be made in sfSessionStorage so that if the session cookie is marked as secure, it is not sent back to the user over HTTP to the user. This check can wrap the session_start() on line 93 (1.4.4). What do you guys think? -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
