View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005887 | Composr | core | public | 2024-08-14 01:36 | 2024-08-18 01:02 |
| Reporter | Patrick Schmalstig | Assigned To | Patrick Schmalstig | ||
| Severity | Minor-bug | ||||
| Status | resolved | Resolution | fixed | ||
| Product Version | 10.0.48.beta | ||||
| Fixed in Version | 10.0.49 | ||||
| Summary | 0005887: Session cookies should always be HttpOnly / Secure where applicable | ||||
| Description | Composr v10 does not currently meet current web standards for cookie security. Namely, Session cookies (defined as cookies with an expiration set to Session, not necessarily the Composr session cookie) are not getting the HttpOnly / Secure treatment when they should be, even when a cookie domain is set. cms_setcookie should force HttpOnly / Secure on where applicable for session cookies to meet current web standards. global.js should do the same. | ||||
| Tags | Roadmap: v11, Type: Security | ||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
| related to | 0005888 | closed | Patrick Schmalstig | Login loop when accessing CMS/Admin zones |
| related to | 0005889 | resolved | Patrick Schmalstig | CSRF tokens broken |
| related to | 0005890 | closed | Patrick Schmalstig | Consider additionally validating CSRF via cookie |
|
|
Automated message: This issue was created using the Report Issue Wizard on the Composr homesite. |
|
|
v11 has the same problem, although only for the Secure property; it is setting HttpOnly like it should. |
|
|
Automated response: Session cookies should always be HttpOnly / Secure where applicable This patch forces http-only on Session cookies and also correctly applies the Secure property when applicable. This patch will not work without the updated global*.php files for 10.0.49. See GitLab to get them. |
|
|
Fixed in git commit 74309df6aa (https://gitlab.com/composr-foundation/composr/commit/74309df6aa - link will become active once code pushed to GitLab) A hotfix (a TAR of files to upload) has been uploaded to this issue. These files are made to the latest intra-version state (i.e. may roll in earlier fixes too if made to the same files) - so only upload files newer than what you have already. If there are files in a hot-fix that you don't have then they probably relate to addons that you don't have installed and should be skipped. Always take backups of files you are replacing or keep a copy of the manual installer for your version, and only apply fixes you need. These hotfixes are not necessarily reliable or well supported. Not sure how to extract TAR files to your Windows computer? Try 7-zip (http://www.7-zip.org/). hotfix-5887, 2024-08-14 2am.tar (50,176 bytes) |
|
|
Warning: This fix causes 0005888 and 0005889 . See those issues for resolutions. |
|
|
REVERTED in 10.0.50 |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-08-14 01:36 | Patrick Schmalstig | Assigned To | => Patrick Schmalstig |
| 2024-08-14 01:36 | Patrick Schmalstig | Status | non-assigned => assigned |
| 2024-08-14 01:38 | Patrick Schmalstig | Note Added: 0009179 | |
| 2024-08-14 01:38 | Patrick Schmalstig | Tag Attached: Roadmap: v11 | |
| 2024-08-14 03:16 | Patrick Schmalstig | Tag Attached: Type: Security | |
| 2024-08-14 18:47 | Patrick Schmalstig | Relationship added | related to 0005888 |
| 2024-08-14 18:47 | Patrick Schmalstig | Relationship added | related to 0005889 |
| 2024-08-14 18:47 | Patrick Schmalstig | Note Added: 0009192 | |
| 2024-08-14 19:29 | Patrick Schmalstig | Relationship added | related to 0005890 |
| 2024-08-18 01:02 | Patrick Schmalstig | Note Added: 0009235 |
