- English support forums
- Installation & update issues
- SSL Cookie "Secure Attribute" breaks login
SSL Cookie "Secure Attribute" breaks login
- Topic Author
Overview: The host is running a server with SSL and is prone to information
The flaw is due to SSL cookie is not using 'secure' attribute, which
allows cookie to be passed to the server by the client over non-secure
channels (http) and allows attacker to conduct session hijacking attacks.
Impact Level: Application
Server with SSL.
Set the 'secure' attribute for any cookies that are sent over an SSL connection.
I enabled mod_header and added the following line to the Apache config file, which cured the issue - no longer detected.
Header set Set-Cookie: "=; =; expires=; domain=; secure; HttpOnly"
However, now at the login screen if I enter my login information incorrect it tells me as such but when I enter my correct login credentials it loops back to the login screen. Commenting out the line makes things work as they should
I assume Limesurvey is doing it's own cookie management and doesn't like Apache doing it as well.
Is there a work around in Limesurvey to enable secure ssl cookies??
FYI I have SSL setup and "Force HTTPS" enabled..
Edit: Sorry I'm running Limesurvey Version 2.00+ Build 130611
Edit: Just updated to Version 2.00+ Build 130708 and the problem persists..
Edit: Seems related to Bug 7631 bugs.limesurvey.org/view.php?id=7631 - although I would not consider this a "feature" but more of a security vulnerability. Please let me know if I should enter a bug.. J
Please Log in to join the conversation.
- Topic Author