Ticket #508 (testing security: fixed)
allow for secure onlly cookies
| Reported by: | mortonda@… | Owned by: | mortonda@… |
|---|---|---|---|
| Priority: | high | Milestone: | 1.0.3 |
| Component: | PHP scripts | Version: | 1.0.2 |
| Severity: | major | Keywords: | |
| Cc: |
Description
We should use cookie params to limit Maia sessions to https only, when the login page is https - $_SERVER[HTTPS'] and also set the cookie path so that the cookie is only valid from maia's tree. This could be a minor security issue - via man in the middle attacks to sniff session cookies or by setting up a rogue maia installation on the same server.
The attack vector on this is small, but it is still worth fixing.
Change History
Note: See
TracTickets for help on using
tickets.
