Opened 7 years ago

Last modified 3 years ago

#10428 new defect

Visiting logs you out on

Reported by: cypherpunks Owned by: pde
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Normal Keywords: httpse-ruleset-bug
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


The ruleset for * doesn't enforce https for the subdomain Combined with the securecookie rule this causes the session-id cookie to be overwritten with a new one for a not-logged-in session.

It probably is best to just be less specific wrt subdomains:

<rule from="http://([a-z]+\.)?tweakers\.net/"

to="https://$" />

Also the exclusion rule for crossdomain.xml might not be necessary anymore, but I haven't checked that yet.

Child Tickets

Change History (1)

comment:1 Changed 3 years ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.