Bienvenue, Invité
Nom d'utilisateur : Mot de passe : Se souvenir de moi

SUJET : SSL Cookie "Secure Attribute" breaks login

SSL Cookie "Secure Attribute" breaks login il y a 1 an 2 semaines #97881

  • jasonweir
  • Portrait de jasonweir
I scanned my Limesurvey Debian Wheezy install with OpenVAS\Greenbone Security Assistant and it identified the following issue
Overview: The host is running a server with SSL and is prone to information
disclosure vulnerability.

Vulnerability Insight:
The flaw is due to SSL cookie is not using 'secure' attribute, which
allows cookie to be passed to the server by the client over non-secure
channels (http) and allows attacker to conduct session hijacking attacks.
remote systems.

Impact Level: Application

Affected Software/OS:
Server with SSL.

Set the 'secure' attribute for any cookies that are sent over an SSL connection.

I enabled mod_header and added the following line to the Apache config file, which cured the issue - no longer detected.

Header set Set-Cookie: "=; =; expires=; domain=; secure; HttpOnly"

However, now at the login screen if I enter my login information incorrect it tells me as such but when I enter my correct login credentials it loops back to the login screen. Commenting out the line makes things work as they should

I assume Limesurvey is doing it's own cookie management and doesn't like Apache doing it as well.
Is there a work around in Limesurvey to enable secure ssl cookies??

FYI I have SSL setup and "Force HTTPS" enabled..


Edit: Sorry I'm running Limesurvey Version 2.00+ Build 130611

Edit: Just updated to Version 2.00+ Build 130708 and the problem persists..

Edit: Seems related to Bug 7631 - although I would not consider this a "feature" but more of a security vulnerability. Please let me know if I should enter a bug.. J
Dernière édition: il y a 1 an 2 semaines par jasonweir.
L'administrateur a désactivé l'accès en écriture pour le public.

SSL Cookie "Secure Attribute" breaks login il y a 1 an 1 semaine #98086

  • jasonweir
  • Portrait de jasonweir
Anyone have an update on this? I'd really like to clean an audit finding..

L'administrateur a désactivé l'accès en écriture pour le public.
Modérateurs: ITEd
Temps de génération de la page : 0.147 secondes
Donation Image