Forum OpenACS Improvement Proposals (TIPs): TIP#122 (Approved) Made as_session_id_sec secure cookie

Request notifications

Right now we have secure variants of as_user_login cookie but not the ad_session_id cookie.

I have made a patch that adds this so in a secure conn all cookies will be sent securely.

Security scanners, which more people are using, flag the non-secure cookie as a problem. In practice there probably is not any information in the session_id cookie, but its easy to fix.

I propose applying the following patch.

Any comments or suggestions are welcome.

*** security-procs.tcl 2007-08-27 13:01:08.000000000 -0400
--- security-procs.tcl.orig 2007-08-27 12:56:35.000000000 -0400
***************
*** 15,21 ****
# cookies (all are signed cookies):
# cookie value max-age secur
e
# ad_session_id session_id,user_id,login_level SessionTimeout no
- # ad_session_id_secure session_id,user_id,login_level SessionTimeout yes
# ad_user_login user_id,issue_time,auth_token never expires no
# ad_user_login_secure user_id,random never expires yes
# ad_secure_token session_id,user_id,random SessionLifetime yes
--- 15,20 ----
***************
*** 77,87 ****
} {
ns_log debug "OACS= sec_handler: enter"
if { [catch {
! if { [security::secure_conn_p]} {
! set cookie_list [ad_get_signed_cookie_with_expr "ad_session_id_sec
ure"]
! } else {
! set cookie_list [ad_get_signed_cookie_with_expr "ad_session_id"]
! }
} errmsg ] } {
# Cookie is invalid because either:
# -> it was never set
--- 76,82 ----
} {
ns_log debug "OACS= sec_handler: enter"
if { [catch {
! set cookie_list [ad_get_signed_cookie_with_expr "ad_session_id"]
} errmsg ] } {
# Cookie is invalid because either:
# -> it was never set
***************
*** 304,310 ****
Logs the user out.
} {
ad_set_cookie -replace t -max_age 0 ad_session_id ""
- ad_set_cookie -replace t -max_age 0 ad_session_id_secure ""
ad_set_cookie -replace t -max_age 0 ad_secure_token ""
ad_set_cookie -replace t -max_age 0 ad_user_login ""
ad_set_cookie -replace t -max_age 0 ad_user_login_secure ""
--- 299,304 ----
***************
*** 468,477 ****
ns_log Debug "Security: [ns_time] sec_generate_session_id_cookie setting s
ession_id=$session_id, user_id=$user_id, login_level=$login_level"
ad_set_signed_cookie -replace t -max_age [sec_session_timeout] \
"ad_session_id" "$session_id,$user_id,$login_level"
- if {[security::secure_conn_p]} {
- ad_set_signed_cookie -secure t -replace t -max_age [sec_session_timeou
t] \
- "ad_session_id_secure" "$session_id,$user_id,$login_level"
- }
}

ad_proc -private sec_generate_secure_token_cookie { } {
--- 462,467 ----

Collapse
Posted by Don Baccus on
Approve - do I get some free cookies at the next conference, now?
Collapse
Posted by Don Baccus on
Approve for HEAD, not 5.4.2 that is ...
Collapse
Posted by Emmanuelle Raffenne on
I approve
approved
Collapse
Posted by Gustaf Neumann on
approved
Collapse
Posted by Dave Bauer on
I found a bug in that the ad_session_id cookie is still sent for secure connections.

The change is to set the secure cookie on all connectons, and only read the secure cookie on secure connections, I am testing this implementation now.

Collapse
Posted by Dave Bauer on
Looks like this never got completed! I am looking into making sure this works.