[#37777] - [4.1] Set 'secure' flag in session cookies if TLS in enforced
- Fixed in Code Base
- 13 May 2022
- Medium
- Build: 4.1-dev
- # 37777
- Diff
- SniperSister:4x-securecookies
User tests: Successful: Unsuccessful:
Summary of Changes
Pass the $options array, holding the information if the secure flag shall be set, in the session service provider to the JoomlaStorage class.
Testing Instructions
Log in to your backend, switch Force SSL in the global config to true.
Actual result BEFORE applying this Pull Request
secure flag is missing in the backend and frontend session cookie
Expected result AFTER applying this Pull Request
secure flag is set
Documentation Changes Required
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Libraries |
I have tested this item
Without the patch, the "secure" flag is always false in the session cookies for the administrator and the site, regardless of the "Force HTTPS" setting in Global Configuration.
With the patch, the "secure" is set depending on the "Force HTTPS" setting.
- "None": False for both the admin and the site session cookie.
- "Administrator Only": True for the admin and false for the site session cookie.
- "Entire Site": True for both the admin and the site session cookie.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/37777.
@sandewt Here some details where to find the cookies in the developer tools in Firefox, Google Chrome and Microsoft Edge.
Firefox
-
Get to the developer tools
-
Get to the cookies in the storage tab
Google Chrome and Microsoft Edge
In Edge, the hot key combination to get the dev tools is different to Google Chrome, but the navigation to get there and the tabs of the dev tools are the same.
-
Get to the developer tools
-
Get to the cookies in the application tab
I have tested this item
thanks @SniperSister
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/37777.
| Status | Pending | ⇒ | Ready to Commit |
| Labels |
Added:
?
|
||
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/37777.
| Labels |
Added:
?
|
||
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-05-13 14:21:26 |
| Closed_By | ⇒ | laoneo |
Thanks!
Thanks
The Joomla! project will properly credit individuals and/or organizations who responsibly disclose security issues to the JSST [quote]
As reported to the JSST on 8th September 2021 at 21:17GMT with the solution being passed to the JSST at 21:30 GMT to be implemented by the JSST... .and then ignored until this PR from the JSST Team Leader, in pubic.. 8 months later...
You're Welcome.
Phil, The... "rechthaberische, klugsch., selbstverliebte, arrogante Giftzwerge"...
This should also have a CVE assigned as its listed in the CWE https://cwe.mitre.org/data/definitions/614.html and is in the OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
So I see I was ignored and 4.1.4 was released without a security release or CVE . Ok well time to go public myself then if you are now slipping proven security fixes and calling them bug fixes.
array(3) { ["name"]=> string(32) "4129b0b40bbcb51091c437390b26f476" ["expire"]=> int(900) ["force_ssl"]=> bool(true) }
How can I best check this?
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/37777.