Opened 11 years ago

Last modified 11 years ago

#508 testing security (fixed)

allow for secure onlly cookies

Reported by: mortonda@… Owned by: mortonda@…
Priority: high Milestone: 1.0.3
Component: PHP scripts Version: 1.0.2
Severity: major Keywords:
Cc:

Description

We should use cookie params to limit Maia sessions to https only, when the login page is https - $_SERVER[HTTPS'] and also set the cookie path so that the cookie is only valid from maia's tree. This could be a minor security issue - via man in the middle attacks to sniff session cookies or by setting up a rogue maia installation on the same server.

The attack vector on this is small, but it is still worth fixing.

Change History (2)

comment:1 Changed 11 years ago by mortonda@…

  • Status changed from new to accepted

implemented in [1318] and [1317]

comment:2 Changed 11 years ago by mortonda@…

  • Resolution set to fixed
  • Status changed from accepted to testing
Note: See TracTickets for help on using tickets.