[MDL-55273] cookiesecure doesn't default on - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.7.15, 2.8.12, 2.9.7, 3.0.5, 3.1.1
Fix Version/s: 3.0.6, 3.1.2
Component/s: Administration
Labels:
- CatalystIT
- ci
- partner
- release_notes
- triaged

Affected Branches:
MOODLE_27_STABLE, MOODLE_28_STABLE, MOODLE_29_STABLE, MOODLE_30_STABLE, MOODLE_31_STABLE
Fixed Branches:
MOODLE_30_STABLE, MOODLE_31_STABLE
Pull from Repository:
https://github.com/brendanheywood/moodle
Pull Master Branch:
~~MDL-55273~~-cookie-secure-default
Pull Master Diff URL:
https://github.com/moodle/moodle/compare/master...brendanheywood:MDL-55273-cookie-secure-default
Testing Instructions:
Hide

Set up apache serving on both ssl and non ssl

setup a fresh moodle

Confirm the default value for secure cookies is on

With the following do a full cookie clear before each:

Confirm if wwwroot is http then cookies are not secure

Confirm if wwwroot is http with httpslogin on then cookies are not secure

Confirm if wwwroot is https and securecookie is off then cookies of not secure

Confirm if wwwroot is https and securecookie is on then cookies of not secure

Confirm is wwwroot is http, and secure cookie is on, and sslproxy is set then cookies should be secure (need to setup a ssl proxy to properly test)
Show
Set up apache serving on both ssl and non ssl setup a fresh moodle Confirm the default value for secure cookies is on With the following do a full cookie clear before each: Confirm if wwwroot is http then cookies are not secure Confirm if wwwroot is http with httpslogin on then cookies are not secure Confirm if wwwroot is https and securecookie is off then cookies of not secure Confirm if wwwroot is https and securecookie is on then cookies of not secure Confirm is wwwroot is http, and secure cookie is on, and sslproxy is set then cookies should be secure (need to setup a ssl proxy to properly test)

Description

So we've just run into this bug the hard way. The cookiesecure setting isn't set, so moodle sessions are being leaked over an unencrypted network request to the http version, even though it just immediately serves a redirect back to the proper wwwroot.

To reproduce:

turn on network tab in chrome dev tools, turn on preserve log
login to the secure site normally so you have a session
then access the non secure version, it should served a redirect to the https version, but you can see the cookie data in the mean time

So the things that jump out at me are:

1) why isn't this setting on by default? If the site isn't run over https then the setting is ignored so I can't see a downside to this being on by default.

2) Why does this setting even exist? Following on that, if there is no downside with non secure sites, and it can safely always be on, why even have the setting? I can't think of a valid use case for why you would ever want this off. It's just a big security hole waiting to happen everywhere.

There is some overlap with ~~MDL-50689~~

Attachments

Issue Links

has a non-specific relationship to

MDL-50689 Improve security reporting for https settings and user enumeration risk

Closed

MDL-42834 Deprecate loginhttps

Closed

has to be done before

MDL-55662 Remove cookiesecure

Closed

Activity

People

Assignee:: Brendan Heywood

Reporter:: Brendan Heywood

Peer reviewer:: John Okely

Integrator:: Dan Poltawski

Tester:: Simey Lameze

Participants:: Brendan Heywood, CiBoT, Dan Poltawski, David Monllaó, Helen Foster, John Okely, Marina Glancy, Matthew Tavella, Simey Lameze

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 1 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 19/Jul/16 5:44 PM

Updated:: 08/Nov/16 1:10 AM

Resolved:: 26/Aug/16 5:49 PM

Fix Release Date:: 12/Sep/16