Defect #19581
closed
_redmine_session cookie security flaw
0%
Description
Once logged in redmine , simply look for the cookie is generated and then use it to log in from another browser, without knowing your user name and password . It's a big security breach because anyone with access to copy the cookie , you can logging of that user without any approval of the person and without being detected.
Updated by Ieuan Jenkins over 9 years ago
If you can access a user's cookie, you'd probably have access to the credentials they posted to authenticate as well.
You should be enabling the HTTPS protocol option in the Redmine administration menu which then ensures the _redmine_session cookie is a secure cookie and cannot be intercepted.
Updated by Toshi MARUYAMA over 9 years ago
- Status changed from New to Needs feedback
I think it is Rails mater not Redmine.
Try .
source:config/application.rb#L62
From:
config.session_store :cookie_store, :key => '_redmine_session'
To:
config.session_store :cookie_store, :key => '_redmine_session', :secure => true
Updated by Marcelo Dalmao over 9 years ago
Thank you for your answers. The first do not think this solves the problem , but I'll try both and tell them whether or not addressed.
I explain a little better what probe done, for example we have a redmine is redmine.com , and a project called X, entered from any browser with a valid user, and access to project X. By accessing saved the contents of the cookie for use in another browser.
Open a new browser screen enter Loguin , then loaded cookie previously obtained in the new browser with content that had copied . Once you do this directly access a project X, without entering username and password.
Updated by Toshi MARUYAMA over 9 years ago
Redmine is Rails application.
I think you would better ask Rails community.
http://rubyonrails.org/community/
Updated by Toshi MARUYAMA over 9 years ago
- Subject changed from _redmien_session cookie security flaw to _redmine_session cookie security flaw
Updated by Jean-Philippe Lang over 9 years ago
- Status changed from Needs feedback to Closed
- Resolution set to Invalid
This is called session hijacking and it's not a Redmine or Rails security flow. That's why you should really encrypt your HTTP traffic.