Welcome, Guest
Username: Password: Remember me

TOPIC: SSL Cookie "Secure Attribute" breaks login

SSL Cookie "Secure Attribute" breaks login 1 year 2 months ago #97881

  • jasonweir
  • jasonweir's Avatar
I scanned my Limesurvey Debian Wheezy install with OpenVAS\Greenbone Security Assistant and it identified the following issue
Overview: The host is running a server with SSL and is prone to information
disclosure vulnerability.

Vulnerability Insight:
The flaw is due to SSL cookie is not using 'secure' attribute, which
allows cookie to be passed to the server by the client over non-secure
channels (http) and allows attacker to conduct session hijacking attacks.
remote systems.

Impact Level: Application

Affected Software/OS:
Server with SSL.

Workaround:
Set the 'secure' attribute for any cookies that are sent over an SSL connection.

I enabled mod_header and added the following line to the Apache config file, which cured the issue - no longer detected.

Header set Set-Cookie: "=; =; expires=; domain=; secure; HttpOnly"

However, now at the login screen if I enter my login information incorrect it tells me as such but when I enter my correct login credentials it loops back to the login screen. Commenting out the line makes things work as they should

I assume Limesurvey is doing it's own cookie management and doesn't like Apache doing it as well.
Is there a work around in Limesurvey to enable secure ssl cookies??

FYI I have SSL setup and "Force HTTPS" enabled..

Thanks,
Jason

Edit: Sorry I'm running Limesurvey Version 2.00+ Build 130611

Edit: Just updated to Version 2.00+ Build 130708 and the problem persists..

Edit: Seems related to Bug 7631 bugs.limesurvey.org/view.php?id=7631 - although I would not consider this a "feature" but more of a security vulnerability. Please let me know if I should enter a bug.. J
Last Edit: 1 year 2 months ago by jasonweir.
The administrator has disabled public write access.

SSL Cookie "Secure Attribute" breaks login 1 year 2 months ago #98086

  • jasonweir
  • jasonweir's Avatar
Anyone have an update on this? I'd really like to clean an audit finding..

Thanks,
Jason
The administrator has disabled public write access.
Moderators: ITEd
Time to create page: 0.090 seconds
Donation Image