Joomla! Issue Tracker | Joomla! CMS #43882 - [5.x] Fix `secure` flag for session cookies

RTC Release Blocker PR-5.1-dev

Fixed in Code Base
5 Aug 2024
Medium
Build: 5.1-dev
# 43882
Diff
SniperSister:fix/5x-secure-flag

Pending

User tests: Successful: Unsuccessful:

SniperSister
5 Aug 2024

Summary of Changes

The rework of the session management introduced in 5.x broke the code that sets the secure flag for the session cookie on sites with enforced HTTPS. The $options variable, containing the config isn't passed to the storage anymore, resulting in the absence of the flag regardless of the configuration state:
84776fb#diff-bc8698a8418bcc017e622d13e0d460e94f502f09ae0f9c50cb6cd9f7ede73cb0L90

Testing Instructions

Enable "force SSL" on a 5.x site, inspect the session cookie using your developer tools. Verify that the flag is absent. Apply the patch and delete the cookie in your browser. Refresh.

Actual result BEFORE applying this Pull Request

No secure flag

Expected result AFTER applying this Pull Request

secure flag is set as expected

Link to documentations

Please select:

Documentation link for docs.joomla.org:
No documentation changes for docs.joomla.org needed
Pull Request link for manual.joomla.org:
No documentation changes for manual.joomla.org needed

70a0772 5 Aug 2024

Fix setting secure cookie flag for https-encorced sites

SniperSister - open - 5 Aug 2024

SniperSister - change - 5 Aug 2024

Status

New

⇒

Pending

joomla-cms-bot - change - 5 Aug 2024

Category

⇒

Libraries

SniperSister - change - 5 Aug 2024

The description was changed

SniperSister - edited - 5 Aug 2024

a459e59 5 Aug 2024

apply for all sessions

SniperSister - change - 5 Aug 2024

Labels

Added: PR-5.1-dev

SniperSister - comment - 5 Aug 2024

I've labeled the PR as release blocker because it's security relevant

HLeithner - test_item - 5 Aug 2024 - Tested successfully

HLeithner - comment - 5 Aug 2024

I have tested this item ✅ successfully on a459e59

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43882.}

dautrich - test_item - 5 Aug 2024 - Tested successfully

dautrich - comment - 5 Aug 2024

I have tested this item ✅ successfully on a459e59

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43882.}

alikon - change - 5 Aug 2024

Status

Pending

⇒

Ready to Commit

alikon - comment - 5 Aug 2024

RTC

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43882.}

803205c 5 Aug 2024

Merge branch '5.1-dev' into fix/5x-secure-flag

Quy - change - 5 Aug 2024

Labels

Added: RTC

wilsonge - change - 5 Aug 2024

Status	Ready to Commit	⇒	Fixed in Code Base
Closed_Date	0000-00-00 00:00:00	⇒	2024-08-05 13:34:32
Closed_By		⇒	wilsonge
Labels	Added: Release Blocker

wilsonge - close - 5 Aug 2024

wilsonge - merge - 5 Aug 2024

wilsonge - comment - 5 Aug 2024

My bad! Must have had something in mind at some point - but no clue what 3 years later :(

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#43882] - [5.x] Fix `secure` flag for session cookies

Summary of Changes

Testing Instructions

Actual result BEFORE applying this Pull Request

Expected result AFTER applying this Pull Request

Link to documentations

Add a Comment