View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
09086 | Development | Documentation | public | 2014-06-16 12:06 | 2014-06-24 19:05 |
Reporter | nmisic | Assigned To | DenisChenu | ||
Priority | normal | Severity | minor | ||
Status | closed | Resolution | fixed | ||
Fixed in Version | 2.05 | ||||
Summary | 09086: Secure cookies | ||||
Description | Hello, if you don't use table-based sessions in config.php, secure flag is not set in application/core/LSYii_Application.php can be fixed by adding 'secure' => true on line 112. Best regards, -- Nikola | ||||
Tags | No tags attached. | ||||
I think you must use 'enableCookieValidation'=>true in application/config/config.php But after we must update LS core to use Yii::app()->request->cookies and noy $_COOKIES ;) add secure true don't prevent Cookie Attack For cookie in secure mode: we only need/want it if https is set to allow or force. |
|
You can set secure cookies manually in config.php: 'session' => array( 'cookieMode' => 'allow', 'cookieParams' => array( 'httpOnly' => true, 'secure' => true, ), ), And you can set enableCookieValidation to true too. 'request' => array( 'class'=>'LSHttpRequest', 'noCsrfValidationRoutes'=>array( 'remotecontrol' ), 'enableCsrfValidation'=>true, // CSRF protection 'enableCookieValidation'=>true // Enable to activate cookie protection ), [EDIT] remove domain and path cookie param |
|
Move it to documentation because it can be done in config.php. Maybe some secure true if SSL is set to force. |
|
Thank you, works as expected with this code added to config.php. Much better solution than changing Yii core. | |
For other user information : enableCookieValidation'=>true work good too ? Denis |
|
Unfortunately those settings do not work in my example. | |
http://manual.limesurvey.org/Optional_settings#Session_settings | |
Doc updated , maybe not the best place. But it's here. | |
Date Modified | Username | Field | Change |
---|---|---|---|
2014-06-16 12:06 | nmisic | New Issue | |
2014-06-16 19:20 | DenisChenu | Note Added: 30104 | |
2014-06-17 11:34 | c_schmitz | Project | Bug reports => Development |
2014-06-17 11:45 | DenisChenu | Note Added: 30118 | |
2014-06-17 12:28 | DenisChenu | Note Edited: 30118 | View Revisions |
2014-06-18 10:30 | DenisChenu | Category | Security => Documentation |
2014-06-18 10:30 | DenisChenu | Product Version | 2.05+ => |
2014-06-18 10:30 | DenisChenu | Assigned To | => DenisChenu |
2014-06-18 10:30 | DenisChenu | Status | new => assigned |
2014-06-18 10:31 | DenisChenu | Note Added: 30137 | |
2014-06-23 10:38 | nmisic | Note Added: 30203 | |
2014-06-23 10:44 | DenisChenu | Note Added: 30204 | |
2014-06-23 10:45 | DenisChenu | View Status | private => public |
2014-06-23 11:29 | nmisic | Note Added: 30205 | |
2014-06-24 19:04 | DenisChenu | Note Added: 30226 | |
2014-06-24 19:04 | DenisChenu | Status | assigned => resolved |
2014-06-24 19:04 | DenisChenu | Fixed in Version | => 2.05 |
2014-06-24 19:04 | DenisChenu | Resolution | open => fixed |
2014-06-24 19:05 | DenisChenu | Note Added: 30227 | |
2014-06-24 19:05 | DenisChenu | Status | resolved => closed |