SSL Cookie "Secure Attribute" breaks login

  • jasonweir
  • jasonweir's Avatar Topic Author
  • Visitor
  • Visitor
3 years 8 months ago - 3 years 8 months ago #97881 by jasonweir
I scanned my Limesurvey Debian Wheezy install with OpenVAS\Greenbone Security Assistant and it identified the following issue

Overview: The host is running a server with SSL and is prone to information
disclosure vulnerability.

Vulnerability Insight:
The flaw is due to SSL cookie is not using 'secure' attribute, which
allows cookie to be passed to the server by the client over non-secure
channels (http) and allows attacker to conduct session hijacking attacks.
remote systems.

Impact Level: Application

Affected Software/OS:
Server with SSL.

Workaround:
Set the 'secure' attribute for any cookies that are sent over an SSL connection.


I enabled mod_header and added the following line to the Apache config file, which cured the issue - no longer detected.

Header set Set-Cookie: "=; =; expires=; domain=; secure; HttpOnly"

However, now at the login screen if I enter my login information incorrect it tells me as such but when I enter my correct login credentials it loops back to the login screen. Commenting out the line makes things work as they should

I assume Limesurvey is doing it's own cookie management and doesn't like Apache doing it as well.
Is there a work around in Limesurvey to enable secure ssl cookies??

FYI I have SSL setup and "Force HTTPS" enabled..

Thanks,
Jason

Edit: Sorry I'm running Limesurvey Version 2.00+ Build 130611

Edit: Just updated to Version 2.00+ Build 130708 and the problem persists..

Edit: Seems related to Bug 7631 bugs.limesurvey.org/view.php?id=7631 - although I would not consider this a "feature" but more of a security vulnerability. Please let me know if I should enter a bug.. J
Last Edit: 3 years 8 months ago by jasonweir.

Please Log in to join the conversation.

  • jasonweir
  • jasonweir's Avatar Topic Author
  • Visitor
  • Visitor
3 years 8 months ago #98086 by jasonweir
Anyone have an update on this? I'd really like to clean an audit finding..

Thanks,
Jason

Please Log in to join the conversation.