Opened 5 years ago

Last modified 18 months ago

#10428 new defect

Visiting http://awards.tweakers.net logs you out on tweakers.net

Reported by: cypherpunks Owned by: pde
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Normal Keywords: httpse-ruleset-bug
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The ruleset for *.tweakers.net doesn't enforce https for the subdomain awards.tweakers.net. Combined with the securecookie rule this causes the session-id cookie to be overwritten with a new one for a not-logged-in session.

It probably is best to just be less specific wrt subdomains:

<rule from="http://([a-z]+\.)?tweakers\.net/"

to="https://$1tweakers.net/" />

Also the exclusion rule for crossdomain.xml might not be necessary anymore, but I haven't checked that yet.

Child Tickets

Change History (1)

comment:1 Changed 18 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.