Project

General

Profile

Actions

Defect #6792

closed

Set cookie secure flag when accessing Redmine over HTTPS

Added by Sen Haerens about 14 years ago. Updated about 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
2010-11-02
Due date:
% Done:

0%

Estimated time:
Resolution:
Invalid
Affected version:

Description

Is it possible to add this to Redmine?
I'm proxying via Nginx with header "X-Forwarded-Proto https".

http://codebutler.com/firesheep-a-day-later

Full HTTPS for everything — Some sites support full encryption everywhere, but don’t implement it properly by failing to set the “Secure” flag on authentication cookies, negating most of the benefits and leaving users at risk. What that means is that any time you type the URL (e.g. “manage.slicehost.com”) into your web browser (without explicitly typing https:// beforehand, which people rarely do) you will inadvertently leak your cookies with that first request, prior to being redirected to the HTTPS page. Slicehost and Dropbox are good examples of this mistake.

Actions #1

Updated by Holger Just about 14 years ago

  • Status changed from New to Closed
  • Resolution set to Invalid

It is possible. Add :secure => true to the hash in config/initializers/session_store.rb.

In the future, please ask such questions in the forums. The issue tracker is only uses for code issues, not for support questions.

Actions

Also available in: Atom PDF