I've added this as a ticket with a proposed patch.

http://trac.symfony-project.org/ticket/8677

On 19 May, 09:30, Stephen Melrose <[email protected]> wrote:
> Hi,
>
> We discovered a small issue today in sfSessionStorage.
>
> If you set in the factories.yml that the session cookie must be secure
> only, it is still sent to the user when they access the website via a
> non-secure connection. This causes problems, and I don't believe it's
> correct.
>
> -- Example
>
> The user accesses a symfony website via HTTP. This website has cookies
> set to secure and is running the sfSslRequirementPlugin.
>
> The plugin detects that the website should run over SSL and sends a
> redirect. At this point, the session cookie is also sent back with
> this redirect response. It is marked as secure, but it sends it to the
> user over HTTP.
>
> When the user accesses the website via SSL, everything is fine, they
> send the session and everything OK.
>
> If the same user opened up a new tab and typed in the same initial URL
> again accessing the site over HTTP, not HTTPS, the cookie is NOT sent
> back to the website as it is marked as secure. At this point, the
> website thinks it is a new user and issues a new session cookie with
> the redirect response. When the user is redirected to HTTPS, the new
> session cookie is sent, and they are logged out of the website for
> example as they have a new session.
>
> There is also the obvious flaw that the session ID is sent over HTTP
> and can be intercepted.
>
> -- Proposed Solution
>
> A check should be made in sfSessionStorage so that if the session
> cookie is marked as secure, it is not sent back to the user over HTTP
> to the user. This check can wrap the session_start() on line 93
> (1.4.4).
>
> What do you guys think?
>
> --
> If you want to report a vulnerability issue on symfony, please send it to 
> security at symfony-project.com
>
> You received this message because you are subscribed to the Google
> Groups "symfony developers" group.
> To post to this group, send email to [email protected]
> To unsubscribe from this group, send email to
> [email protected]
> For more options, visit this group 
> athttp://groups.google.com/group/symfony-devs?hl=en

-- 
If you want to report a vulnerability issue on symfony, please send it to 
security at symfony-project.com

You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en

Reply via email to