Feature #21697
openSet secure flag of the session cookie depending on original request
0%
Description
The default configuration of redmine sends session cookie open for any connection type. This allows an attacker to steal the session cookie and access one's redmine session.
It is possible to secure the cookie by changing the option in application.rb file.
config.session_store :cookie_store, :key => '_redmine_session', :secure => true
But this will prevent users from accessing system via plain HTTP protocol in local network.
Let Redmine set secure cookie flag depending on request scheme and X-Forwarded-Proto HTTP-header.
Related issues
Updated by Go MAEDA almost 9 years ago
- Status changed from New to Closed
- Resolution set to Duplicate
Fixed by #20935. Please try Redmine 3.2.0.
Updated by Go MAEDA almost 9 years ago
- Is duplicate of Feature #20935: Set autologin cookie as secure by default when using https added
Updated by Anonymous almost 9 years ago
The issue #20935 doesn't seem to fix _redmine_session cookie.
Updated by Go MAEDA almost 9 years ago
- Is duplicate of deleted (Feature #20935: Set autologin cookie as secure by default when using https)
Updated by Go MAEDA almost 9 years ago
- Related to Feature #20935: Set autologin cookie as secure by default when using https added
Updated by Mahesha Matharage almost 9 years ago
This issue cannot simulate in the Dev environment.
Updated by Anonymous almost 9 years ago
Steps to simulate task¶
- Set up redmine on host A, HTTP-port 80
- Set up reverse proxy on host B, SSL-port 443
- Get Redmine page via address http://A/redmine
- Get Redemin page via address https://B/redmine
Desired behaviour¶
- Browser receives header
Set-Cookie: _redmine_session=...--...; path=/redmine/
from domain A - Browser receives header
Set-Cookie: _redmine_session=...--...; path=/redmine/; secure; HttpOnly
from domain B
Updated by Go MAEDA almost 2 years ago
You can set secure attribute to the cookie by adding the following line to config/additional_environments.rb to force access over HTTPS.
config.force_ssl = true if Rails.env.production?
Updated by Popa Marius over 1 year ago
Needs to be added to redmine site too
https://observatory.mozilla.org/analyze/redmine.org
Session cookie set without using the Secure flag or set over HTTP