I've added this as a ticket with a proposed patch. http://trac.symfony-project.org/ticket/8677
On 19 May, 09:30, Stephen Melrose <[email protected]> wrote: > Hi, > > We discovered a small issue today in sfSessionStorage. > > If you set in the factories.yml that the session cookie must be secure > only, it is still sent to the user when they access the website via a > non-secure connection. This causes problems, and I don't believe it's > correct. > > -- Example > > The user accesses a symfony website via HTTP. This website has cookies > set to secure and is running the sfSslRequirementPlugin. > > The plugin detects that the website should run over SSL and sends a > redirect. At this point, the session cookie is also sent back with > this redirect response. It is marked as secure, but it sends it to the > user over HTTP. > > When the user accesses the website via SSL, everything is fine, they > send the session and everything OK. > > If the same user opened up a new tab and typed in the same initial URL > again accessing the site over HTTP, not HTTPS, the cookie is NOT sent > back to the website as it is marked as secure. At this point, the > website thinks it is a new user and issues a new session cookie with > the redirect response. When the user is redirected to HTTPS, the new > session cookie is sent, and they are logged out of the website for > example as they have a new session. > > There is also the obvious flaw that the session ID is sent over HTTP > and can be intercepted. > > -- Proposed Solution > > A check should be made in sfSessionStorage so that if the session > cookie is marked as secure, it is not sent back to the user over HTTP > to the user. This check can wrap the session_start() on line 93 > (1.4.4). > > What do you guys think? > > -- > If you want to report a vulnerability issue on symfony, please send it to > security at symfony-project.com > > You received this message because you are subscribed to the Google > Groups "symfony developers" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group > athttp://groups.google.com/group/symfony-devs?hl=en -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
