Roundup Tracker - Issues

Issue 2550689

Cookie security
Type: security Severity: normal
Components: Web interface Versions: 1.4
Status: closed fixed
: schlatterbeck : joseph_myers, schlatterbeck
Priority: :

Created on 2011-02-22 20:07 by joseph_myers, last changed 2012-11-10 12:13 by schlatterbeck.

msg4245 Author: [hidden] (joseph_myers) Date: 2011-02-22 20:07
When the configured URL for a Roundup tracker is an https: URL,
Roundup's cookies should be marked Secure so they do not get sent back
over non-https connections.

Roundup's cookies should also be marked HttpOnly so that any
cross-site-scripting vulnerabilities do not result in cookies being
msg4501 Author: [hidden] (schlatterbeck) Date: 2012-02-23 14:00
Hopefully fixed in git c3efd9d -- I've used "secure" (not uppercase) and
HttpOnly in this peculiar case. Hope this works as intended, I have no
way to really test this. I'm keeping this open, if someone can test
this, please do and notify us here.
msg4671 Author: [hidden] (schlatterbeck) Date: 2012-11-10 12:13
Update: Recently tested via a proxy setup from https to http. The
cookies don't transfer through, so this works (with recent browsers).
Date User Action Args
2012-11-10 12:13:05schlatterbecksetstatus: open -> closed
messages: + msg4671
2012-02-23 14:00:40schlatterbecksetstatus: new -> open
assignee: schlatterbeck
resolution: fixed
messages: + msg4501
nosy: + schlatterbeck
2011-02-22 20:07:34joseph_myerscreate