Defect #6792
closed
Set cookie secure flag when accessing Redmine over HTTPS
0%
Description
Is it possible to add this to Redmine?
I'm proxying via Nginx with header "X-Forwarded-Proto https".
http://codebutler.com/firesheep-a-day-later
Full HTTPS for everything — Some sites support full encryption everywhere, but don’t implement it properly by failing to set the “Secure” flag on authentication cookies, negating most of the benefits and leaving users at risk. What that means is that any time you type the URL (e.g. “manage.slicehost.com”) into your web browser (without explicitly typing https:// beforehand, which people rarely do) you will inadvertently leak your cookies with that first request, prior to being redirected to the HTTPS page. Slicehost and Dropbox are good examples of this mistake.
Updated by Holger Just about 14 years ago
- Status changed from New to Closed
- Resolution set to Invalid
It is possible. Add :secure => true to the hash in config/initializers/session_store.rb.
In the future, please ask such questions in the forums. The issue tracker is only uses for code issues, not for support questions.