SSL Cookie "Secure Attribute" breaks login

  • jasonweir
  • jasonweir's Avatar Topic Author
  • Visitor
  • Visitor
3 years 11 months ago - 3 years 11 months ago #97881 by jasonweir
jasonweir created the topic: SSL Cookie "Secure Attribute" breaks login
I scanned my Limesurvey Debian Wheezy install with OpenVAS\Greenbone Security Assistant and it identified the following issue

Overview: The host is running a server with SSL and is prone to information
disclosure vulnerability.

Vulnerability Insight:
The flaw is due to SSL cookie is not using 'secure' attribute, which
allows cookie to be passed to the server by the client over non-secure
channels (http) and allows attacker to conduct session hijacking attacks.
remote systems.

Impact Level: Application

Affected Software/OS:
Server with SSL.

Workaround:
Set the 'secure' attribute for any cookies that are sent over an SSL connection.


I enabled mod_header and added the following line to the Apache config file, which cured the issue - no longer detected.

Header set Set-Cookie: "=; =; expires=; domain=; secure; HttpOnly"

However, now at the login screen if I enter my login information incorrect it tells me as such but when I enter my correct login credentials it loops back to the login screen. Commenting out the line makes things work as they should

I assume Limesurvey is doing it's own cookie management and doesn't like Apache doing it as well.
Is there a work around in Limesurvey to enable secure ssl cookies??

FYI I have SSL setup and "Force HTTPS" enabled..

Thanks,
Jason

Edit: Sorry I'm running Limesurvey Version 2.00+ Build 130611

Edit: Just updated to Version 2.00+ Build 130708 and the problem persists..

Edit: Seems related to Bug 7631 bugs.limesurvey.org/view.php?id=7631 - although I would not consider this a "feature" but more of a security vulnerability. Please let me know if I should enter a bug.. J
Last Edit: 3 years 11 months ago by jasonweir.

Please Log in to join the conversation.

  • jasonweir
  • jasonweir's Avatar Topic Author
  • Visitor
  • Visitor
3 years 11 months ago #98086 by jasonweir
jasonweir replied the topic: SSL Cookie "Secure Attribute" breaks login
Anyone have an update on this? I'd really like to clean an audit finding..

Thanks,
Jason

Please Log in to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now