View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
09086Development [All Projects] Documentationpublic2014-06-16 12:062014-06-24 19:05
ReporternmisicAssigned ToDenisChenu 
PrioritynormalSeverityminor 
Status closedResolutionfixed 
Product Version 
Target VersionFixed in Version2.05 
Summary09086: Secure cookies
Description

Hello,

if you don't use table-based sessions in config.php, secure flag is not set in

application/core/LSYii_Application.php

can be fixed by adding 'secure' => true on line 112.

Best regards,

Nikola

TagsNo tags attached.

Activities

DenisChenu

DenisChenu

2014-06-16 19:20

developer   ~30104

I think you must use 'enableCookieValidation'=>true in application/config/config.php

But after we must update LS core to use Yii::app()->request->cookies and noy $_COOKIES ;)

add secure true don't prevent Cookie Attack

For cookie in secure mode: we only need/want it if https is set to allow or force.
DenisChenu

DenisChenu

2014-06-17 11:45

developer   ~30118

Last edited: 2014-06-17 12:28

View 2 revisions

You can set secure cookies manually in config.php:

'session' => array(
'cookieMode' => 'allow',
'cookieParams' => array(
'httpOnly' => true,
'secure' => true,
),
),

And you can set enableCookieValidation to true too.

    'request' => array(
        'class'=>'LSHttpRequest',
        'noCsrfValidationRoutes'=>array(
            'remotecontrol'
        ),
        'enableCsrfValidation'=>true,    // CSRF protection
        'enableCookieValidation'=>true   // Enable to activate cookie protection
    ),

[EDIT] remove domain and path cookie param
DenisChenu

DenisChenu

2014-06-18 10:31

developer   ~30137

Move it to documentation because it can be done in config.php.

Maybe some secure true if SSL is set to force.
nmisic

nmisic

2014-06-23 10:38

reporter   ~30203

Thank you, works as expected with this code added to config.php. Much better solution than changing Yii core.
DenisChenu

DenisChenu

2014-06-23 10:44

developer   ~30204

For other user information : enableCookieValidation'=>true work good too ?

Denis
nmisic

nmisic

2014-06-23 11:29

reporter   ~30205

Unfortunately those settings do not work in my example.
DenisChenu

DenisChenu

2014-06-24 19:04

developer   ~30226

http://manual.limesurvey.org/Optional_settings#Session_settings
DenisChenu

DenisChenu

2014-06-24 19:05

developer   ~30227

Doc updated , maybe not the best place. But it's here.

Issue History

Date Modified Username Field Change
2014-06-16 12:06 nmisic New Issue
2014-06-16 19:20 DenisChenu Note Added: 30104
2014-06-17 11:34 c_schmitz Project Bug reports => Development
2014-06-17 11:45 DenisChenu Note Added: 30118
2014-06-17 12:28 DenisChenu Note Edited: 30118 View Revisions
2014-06-18 10:30 DenisChenu Category Security => Documentation
2014-06-18 10:30 DenisChenu Product Version 2.05+ =>
2014-06-18 10:30 DenisChenu Assigned To => DenisChenu
2014-06-18 10:30 DenisChenu Status new => assigned
2014-06-18 10:31 DenisChenu Note Added: 30137
2014-06-23 10:38 nmisic Note Added: 30203
2014-06-23 10:44 DenisChenu Note Added: 30204
2014-06-23 10:45 DenisChenu View Status private => public
2014-06-23 11:29 nmisic Note Added: 30205
2014-06-24 19:04 DenisChenu Note Added: 30226
2014-06-24 19:04 DenisChenu Status assigned => resolved
2014-06-24 19:04 DenisChenu Fixed in Version => 2.05
2014-06-24 19:04 DenisChenu Resolution open => fixed
2014-06-24 19:05 DenisChenu Note Added: 30227
2014-06-24 19:05 DenisChenu Status resolved => closed