Opened 9 years ago

Closed 8 years ago

Last modified 4 years ago

#2098 closed defect (fixed)

Tor Trac sets cookies over HTTPS that can be sent over cleartext HTTP

Reported by: rransom Owned by: erinn
Priority: Very High Milestone:
Component: Internal Services/Service - trac Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Both the trac_auth and trac_form_token cookies are described in Firefox's ‘Cookies’ dialog as “Send For: Any type of connection”. The Tor Project should not do this.

Child Tickets

Change History (10)

comment:1 Changed 9 years ago by phobos

Owner: changed from phobos to erinn
Status: newassigned

I think this is going to involve patching trac and maintaining a custom trac installation. Perhaps we should get the patch into the real trac codebase.

comment:2 Changed 8 years ago by nickm

Component: WebsiteTrac
Priority: majorcritical

comment:3 Changed 8 years ago by dkg

See http://trac.edgewall.org/ticket/5910 for discussion.

i think you only need to set

[trac]
 secure_cookies = true

in trac.ini

comment:4 Changed 8 years ago by dkg

hrm, actually, this doesn't seem to be a problem to me. i think the cookies for this web site are already marked with the secure flag.

comment:5 in reply to:  4 Changed 8 years ago by rransom

Replying to dkg:

hrm, actually, this doesn't seem to be a problem to me. i think the cookies for this web site are already marked with the secure flag.

The cookies are still marked as “Send for: Any type of connection” in my browser.

comment:6 Changed 8 years ago by dkg

well, what do you know. trac_session (before authentication) and trac_auth (after authentication) and trac_form_token (any time) all lack the secure flag when i view them in my alternate browser (arora). I must have some other kind of filtering going on in my firefox instance that auto-sets that flag for me. is such a feature enabled in the latest 0.3.0 build of https-everywhere?

Anyway, yes, i agree with rransom that this is still a problem.

comment:7 in reply to:  3 Changed 8 years ago by erinn

Status: assignedaccepted

Replying to dkg:

See http://trac.edgewall.org/ticket/5910 for discussion.

i think you only need to set

[trac]
 secure_cookies = true

in trac.ini

Implemented. Works for me and dkg claims it works for him too. rransom, care to confirm before I close as fixed?

comment:8 Changed 8 years ago by rransom

Both trac_auth and trac_form_token are now secured.

comment:9 Changed 8 years ago by erinn

Resolution: fixed
Status: acceptedclosed

comment:10 Changed 4 years ago by qbi

Component: TracService - trac

Move all tickets from trac to "Service - trac" component.

Note: See TracTickets for help on using tickets.