? ? Pending

User tests: Successful: Unsuccessful:

avatar SniperSister
SniperSister
11 May 2022

Summary of Changes

Pass the $options array, holding the information if the secure flag shall be set, in the session service provider to the JoomlaStorage class.

Testing Instructions

Log in to your backend, switch Force SSL in the global config to true.

Actual result BEFORE applying this Pull Request

secure flag is missing in the backend and frontend session cookie

Expected result AFTER applying this Pull Request

secure flag is set

Documentation Changes Required

avatar SniperSister SniperSister - open - 11 May 2022
avatar SniperSister SniperSister - change - 11 May 2022
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 11 May 2022
Category Libraries
avatar sandewt
sandewt - comment - 11 May 2022

array(3) { ["name"]=> string(32) "4129b0b40bbcb51091c437390b26f476" ["expire"]=> int(900) ["force_ssl"]=> bool(true) }

How can I best check this?


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/37777.

avatar SniperSister
SniperSister - comment - 12 May 2022

@sandewt you can use the developer tools in your browser to inspect the cookies set by the site. Those tools show if the secure flag is set or not

avatar richard67
richard67 - comment - 13 May 2022

I have tested this item successfully on a0c63a7

Without the patch, the "secure" flag is always false in the session cookies for the administrator and the site, regardless of the "Force HTTPS" setting in Global Configuration.

With the patch, the "secure" is set depending on the "Force HTTPS" setting.

  • "None": False for both the admin and the site session cookie.
  • "Administrator Only": True for the admin and false for the site session cookie.
  • "Entire Site": True for both the admin and the site session cookie.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/37777.
avatar richard67 richard67 - test_item - 13 May 2022 - Tested successfully
avatar richard67
richard67 - comment - 13 May 2022

@sandewt Here some details where to find the cookies in the developer tools in Firefox, Google Chrome and Microsoft Edge.

Firefox

  1. Get to the developer tools
    2022-05-13_devtools-firefox_1

  2. Get to the cookies in the storage tab
    2022-05-13_devtools-firefox_2

Google Chrome and Microsoft Edge

In Edge, the hot key combination to get the dev tools is different to Google Chrome, but the navigation to get there and the tabs of the dev tools are the same.

  1. Get to the developer tools
    2022-05-13_devtools-chrome_1

  2. Get to the cookies in the application tab
    2022-05-13_devtools-chrome_2

avatar tecpromotion
tecpromotion - comment - 13 May 2022

I have tested this item successfully on a0c63a7

thanks @SniperSister


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/37777.

avatar tecpromotion tecpromotion - test_item - 13 May 2022 - Tested successfully
avatar richard67 richard67 - change - 13 May 2022
Status Pending Ready to Commit
Labels Added: ?
avatar richard67
richard67 - comment - 13 May 2022

RTC


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/37777.

avatar zero-24 zero-24 - change - 13 May 2022
Labels Added: ?
avatar laoneo laoneo - change - 13 May 2022
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2022-05-13 14:21:26
Closed_By laoneo
avatar laoneo laoneo - close - 13 May 2022
avatar laoneo laoneo - merge - 13 May 2022
avatar laoneo
laoneo - comment - 13 May 2022

Thanks!

avatar sandewt
sandewt - comment - 14 May 2022

Thanks

avatar PhilETaylor
PhilETaylor - comment - 17 May 2022

The Joomla! project will properly credit individuals and/or organizations who responsibly disclose security issues to the JSST [quote]

As reported to the JSST on 8th September 2021 at 21:17GMT with the solution being passed to the JSST at 21:30 GMT to be implemented by the JSST... .and then ignored until this PR from the JSST Team Leader, in pubic.. 8 months later...

You're Welcome.

Phil, The... "rechthaberische, klugsch., selbstverliebte, arrogante Giftzwerge"...

This should also have a CVE assigned as its listed in the CWE https://cwe.mitre.org/data/definitions/614.html and is in the OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration

Screen Shot 2022-05-15 at 18 55 46

avatar PhilETaylor
PhilETaylor - comment - 24 May 2022

So I see I was ignored and 4.1.4 was released without a security release or CVE . Ok well time to go public myself then if you are now slipping proven security fixes and calling them bug fixes.

Add a Comment

Login with GitHub to post a comment