Bug 7362 - Bugzilla login cookie should be restricted to secure connections
Bugzilla login cookie should be restricted to secure connections
Product: Samba Web
Classification: Unclassified
Component: content
All All
: P3 critical
: ---
Assigned To: Björn Jacke
Depends on:
  Show dependency treegraph
Reported: 2010-04-15 02:57 UTC by Matt McCutchen
Modified: 2011-03-03 18:17 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Matt McCutchen 2010-04-15 02:57:31 UTC
The Bugzilla login cookie is not restricted to secure (SSL) connections.  Thus, if I log in to Bugzilla from a hostile network and open any non-SSL page in the same browser, the network operator can 302 me to a spoofed http://bugzilla.samba.org, steal my login cookie, and proceed to impersonate
Comment 1 Björn Jacke 2011-02-25 04:23:11 UTC
do you have any links or other info about the details? We might add this for the new bugzilla but we need some more info about this :-)
Comment 2 Matt McCutchen 2011-02-26 07:55:15 UTC
See https://bugzilla.mozilla.org/show_bug.cgi?id=449984 .  It looks like Bugzilla 3.2 and newer take care of this automatically if the "ssl*" parameters are set correctly.  You just may wish to clear the "logincookies" table on upgrade so that previously issued cookies that may have been leaked are no longer accepted.
Comment 3 Frédéric Buclin 2011-03-03 17:55:32 UTC
This is now fixed. Login cookies are now transmitted over SSL only.
Comment 4 Matt McCutchen 2011-03-03 18:17:55 UTC
Verified.  And my cookie from before the upgrade was correctly rejected.  Nice work.