#1097 closed task (fixed)
Add secure flag to cookies when using https
| Reported by: | jatrzask | Owned by: | jatrzask |
|---|---|---|---|
| Priority: | critical | Milestone: | v0.99.0 |
| Component: | Security | Version: | 0.98-dev |
| Keywords: | Cc: |
Description
Attacker can hijack a user's session when the user loads a non-secure page. The way to protect against this is to encrypt every page for which the browser will send a cookie. We have to add the secure flag to when setting cookies. This instructs the browser not to send the cookie when requesting unencrypted content, which might happen if an encrypted page has unencrypted parts.
Change History (7)
comment:1 Changed 3 years ago by jatrzask
- Owner set to jatrzask
- Status changed from new to assigned
comment:2 Changed 3 years ago by jatrzask
- Status changed from assigned to in_work
comment:3 Changed 3 years ago by jatrzask
- Status changed from in_work to awaiting_merge
comment:4 Changed 3 years ago by pferreir
- Status changed from awaiting_merge to merging
comment:5 Changed 3 years ago by pferreir
- Resolution set to fixed
- Status changed from merging to closed
comment:6 Changed 3 years ago by Jakub Trzaskoma <jakub.piotr.trzaskoma@…>
comment:7 Changed 3 years ago by Jakub Trzaskoma <jakub.piotr.trzaskoma@…>
Note: See
TracTickets for help on using
tickets.
9e827d875cdbcaa88e51395992c2f47d10468dfd