Re: [CakePHP : The Rapid Development Framework for PHP] #5254: Surf Jacking - Session cookies not flagged as secure

[CakePHP : The Rapid Development Framework for PHP]

#5254: Surf Jacking - Session cookies not flagged as secure
----------------------------------------+-----------------------------------
    Reporter:  zackenbarsch             |         Owner:          
        Type:  Security Exploit         |        Status:  reopened
    Priority:  High                     |     Milestone:  1.2.x.x 
   Component:  Session                  |       Version:  RC2     
    Severity:  Critical                 |    Resolution:          
    Keywords:  cookie, secure, session  |   Php_version:  PHP 5   
Cake_version:  1.2.0.7296 RC2           |  
----------------------------------------+-----------------------------------
Changes (by Ocean):

  * status:  closed => reopened
  * resolution:  fixed =>

Comment:

 Hi there Gwoo,

 I probably (definately) didn't explain myself very well.

 this solution does not allow for "opting out" of the security measure, or
 handling the issue in a more complex manner.

 Moving the fix to the security level conditional...


 {{{
 switch ($this->security) {
         case 'high':
                 $this->cookieLifeTime = 0;
                 if ($iniSet) {
                         ini_set('session.referer_check', $this->host);
                         if (env('HTTPS')) {
                                 ini_set('session.cookie_secure', 1);
                         }
                 }
 ...
 }}}

 ... or adding a switch to config/core.php...

 ... would allow for a usage scenario where the session is used for storing
 non-confidential data, and not used for authentication, and the SSL
 connection is used in a stateless manner to transmit/receive confidential
 data (the connection needs to be secure, but the session does not).

 Does this make sense?

-- 
Ticket URL: <https://trac.cakephp.org/ticket/5254#comment:4>
CakePHP : The Rapid Development Framework for PHP <https://trac.cakephp.org/>
Cake is a rapid development framework for PHP which uses commonly known design 
patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC. 
Our primary goal is to provide a structured framework that enables PHP users at 
all levels to rapidly develop robust web applications, without any loss to 
flexibility.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"tickets cakephp" group.
To post to this group, send email to tickets-cakephp@googlegroups.com
To unsubscribe from this group, send email to 
tickets-cakephp+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/tickets-cakephp?hl=en
-~----------~----~----~----~------~----~------~--~---