Bug 7362 - Bugzilla login cookie should be restricted to secure connections
Summary: Bugzilla login cookie should be restricted to secure connections
Status: RESOLVED FIXED
Alias: None
Product: Samba Web
Classification: Unclassified
Component: content (show other bugs)
Version: unspecified
Hardware: All All
: P3 critical
Target Milestone: ---
Assignee: Björn Jacke
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-04-15 02:57 UTC by Matt McCutchen
Modified: 2011-03-03 18:17 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matt McCutchen 2010-04-15 02:57:31 UTC 
The Bugzilla login cookie is not restricted to secure (SSL) connections.  Thus, if I log in to Bugzilla from a hostile network and open any non-SSL page in the same browser, the network operator can 302 me to a spoofed http://bugzilla.samba.org, steal my login cookie, and proceed to impersonate
me.
Comment 1 Björn Jacke 2011-02-25 04:23:11 UTC 
do you have any links or other info about the details? We might add this for the new bugzilla but we need some more info about this :-)
Comment 2 Matt McCutchen 2011-02-26 07:55:15 UTC 
See https://bugzilla.mozilla.org/show_bug.cgi?id=449984 .  It looks like Bugzilla 3.2 and newer take care of this automatically if the "ssl*" parameters are set correctly.  You just may wish to clear the "logincookies" table on upgrade so that previously issued cookies that may have been leaked are no longer accepted.
Comment 3 Frédéric Buclin 2011-03-03 17:55:32 UTC 
This is now fixed. Login cookies are now transmitted over SSL only.
Comment 4 Matt McCutchen 2011-03-03 18:17:55 UTC 
Verified.  And my cookie from before the upgrade was correctly rejected.  Nice work.