Feature #21697

Updated by Toshi MARUYAMA about 4 years ago

The default configuration of redmine sends session cookie open for any connection type. This allows an attacker to steal the session cookie and access one's redmine session.

It is possible to secure the cookie by changing the option in application.rb file.

<pre><code class="ruby"> &lt;pre&gt;
config.session_store :cookie_store, :key => '_redmine_session', :secure => true
</code></pre> &lt;/pre&gt;

But this will prevent users from accessing system via plain HTTP protocol in local network.

Let Redmine set secure cookie flag depending on request scheme and X-Forwarded-Proto HTTP-header.