roundup_session_gCodesBTS cookie on bugs.g10code.com should set the secure flag
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	dkg
	Sep 15 2008, 12:31 AM

Description

Currently, the session cookie associated with a login on this issue tracker does
not have the secure flag set. This means that anyone controlling an upstream
router can potentially sniff the cookie (and thereby hijack the browser's
session) by tricking the user into sending a cleartext HTTP request to
bugs.g10code.com. This would be as simple as injecting a hidden "img" tag into
an unrelated cleartext HTTP request (e.g. a typical web search).

Event Timeline

dkg added a project: Bug Report.Sep 15 2008, 12:31 AM

dkg added a subscriber: dkg.

Well, this is a bug in roundup. It would be useful to report that upstream.

OTOH, I don't consider this a problem requring immediate action. We use https
and accounts mainly to avoid spam and trolls.

• werner closed this task as Resolved.May 12 2010, 10:27 AM

• werner claimed this task.

• werner added a project: Won't Fix.

roundup_session_gCodesBTS cookie on bugs.g10code.com should set the secure flagClosed, ResolvedPublicActions

Description

Event Timeline

roundup_session_gCodesBTS cookie on bugs.g10code.com should set the secure flag
Closed, ResolvedPublic
Actions