Jump to content

[Core] Cookies Not Marked As Secure

iancarroll

By iancarroll
in Bugs

 Share

Recommended Posts

Paul Community Regular

Paul

Posted
Posted

You might find this useful http://stackoverflow.com/questions/24129201/add-secure-and-httponly-flags-to-every-set-cookie-response-in-apache-httpd

 

We suggest forcing SSL/TLS with your web server, and setting the necessary flags through the web browser. Many people still use Blesta without SSL, which isn't a good idea but broken installs are no fun either.

Link to comment
Share on other sites
Paul Community Regular

Paul

Posted
Posted

We will consider that. There's also a new setting in 3.4 (currently in beta 2, final out soon) under Staff groups to force logout on IP change. This prevents an attacker from using a stolen cookie. It's enabled by default for new installs and new staff groups, but if you're upgrading you'll need to explicitly enable it.

Link to comment
Share on other sites
Max Newbie

Max

Posted
Posted

There's also a new setting in 3.4 (currently in beta 2, final out soon) under Staff groups to force logout on IP change. This prevents an attacker from using a stolen cookie.

 

Note that you already set the HttpOnly flag, so it is not possible for an attacker to steal the cookie through any Javascript injection vulnerability anyway. Which is good.

If you did not have that flag, the IP restriction could be used as an alternative protection against that.

 

However, this thread is about the Secure flag, and I do not think your IP restriction helps at all for situations that flag is actually for.

Which are situations in which the attacker can actually capture and manipulate your traffic...

 

 

Imagine the following situation:

 

  • You are using the Internet at a public location, e.g. at a conference, using a public wifi access point.
  • You are logged into Blesta using SSL. It displays the padlock icon and everything, so you think it is safe.

 

Now what could possibly go wrong with that? :rolleyes:

 

Well, if I were the rogue wifi access point operator, your laptop is connected to, and you happen to visit any random other (non-SSL) site during the same session (or a website controlled by me), I could inject <img src="http://your-blesta-server/" width=0 height=0> in your traffic. Causing the cookie to be sent in the clear, and intercept that.

Even if your webserver is configured to automatically redirect users requesting http to https, your browser will still send all cookies set previously for that site in the clear first as part of the http request, before it is being redirected.

And since you are using MY connection, using MY IP, the IP restriction will not do any good.

I can send requests using my own IP too, you know... ;)

 

When a Blesta user accesses the site through SSL it really should set the Secure flag when setting any cookies, so the browser knows it is to only allowed to send the cookies with https requests.

It also should regenerate the session id number and invalidate the old one, if the user did access Blesta through insecure HTTP before that point.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing
×
×
  • Create New...