-
Bug
-
Resolution: Fixed
-
Minor
-
2.7.15, 2.8.12, 2.9.7, 3.0.5, 3.1.1
-
MOODLE_27_STABLE, MOODLE_28_STABLE, MOODLE_29_STABLE, MOODLE_30_STABLE, MOODLE_31_STABLE
-
MOODLE_30_STABLE, MOODLE_31_STABLE
-
MDL-55273-cookie-secure-default -
So we've just run into this bug the hard way. The cookiesecure setting isn't set, so moodle sessions are being leaked over an unencrypted network request to the http version, even though it just immediately serves a redirect back to the proper wwwroot.
To reproduce:
- turn on network tab in chrome dev tools, turn on preserve log
- login to the secure site normally so you have a session
- then access the non secure version, it should served a redirect to the https version, but you can see the cookie data in the mean time
So the things that jump out at me are:
1) why isn't this setting on by default? If the site isn't run over https then the setting is ignored so I can't see a downside to this being on by default.
2) Why does this setting even exist? Following on that, if there is no downside with non secure sites, and it can safely always be on, why even have the setting? I can't think of a valid use case for why you would ever want this off. It's just a big security hole waiting to happen everywhere.
There is some overlap with MDL-50689