Bug #12479: Secure Cookie Attribute Not Set for webConfigurator - pfSense - pfSense bugtracker

Actions

Copy link

Bug #12479

closed

Secure Cookie Attribute Not Set for webConfigurator

Added by Kris Phillips about 4 years ago. Updated about 4 years ago.

Status:

Rejected

Priority:

Normal

Assignee:

Category:

Web Interface

Target version:

Start date:

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Default

Affected Version:

Affected Architecture:

All

Description

The webConfigurator does not require secure transmission of cookies using the Secure Cookie Attribute in PHP. As such it's possible, although unlikely, for someone to hijack a session since the cookie is transmitted in the clear.

Documentation here:
https://www.php.net/manual/en/function.session-set-cookie-params.php

Actions

Copy link

Updated by Jim Pingle about 4 years ago

Status changed from New to Rejected

It's already set to true if the GUI is set to HTTPS.

If it's set to HTTP, it isn't set.

source:src/etc/inc/auth.inc#L2042

Checking cookie properties in the browser also shows Secure is true.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #12479

Secure Cookie Attribute Not Set for webConfigurator

Updated by Jim Pingle about 4 years ago