Project

General

Profile

Actions

Feature #21697

open

Set secure flag of the session cookie depending on original request

Added by Anonymous about 8 years ago. Updated 9 months ago.

Status:
Reopened
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:

Description

The default configuration of redmine sends session cookie open for any connection type. This allows an attacker to steal the session cookie and access one's redmine session.

It is possible to secure the cookie by changing the option in application.rb file.

config.session_store :cookie_store, :key => '_redmine_session', :secure => true

But this will prevent users from accessing system via plain HTTP protocol in local network.

Let Redmine set secure cookie flag depending on request scheme and X-Forwarded-Proto HTTP-header.


Related issues

Related to Redmine - Feature #20935: Set autologin cookie as secure by default when using httpsClosedJean-Philippe Lang

Actions
Actions

Also available in: Atom PDF