51242 – Set cookie security flag if connection via https

Bug 51242 - Set cookie security flag if connection via https

Summary: Set cookie security flag if connection via https

Status:	CLOSED FIXED

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	Apache
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	UCS 5.0-0-errata
Assignee:	Florian Best
QA Contact:	Dirk Wiesenthal

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:
Blocks:	54405 53511
	Show dependency tree / graph

Reported:	2020-05-07 10:25 CEST by Dirk Schnick
Modified:	2022-02-01 15:02 CET (History)
CC List:	4 users (show)

See Also:	54405
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.046
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2020042921000255
Bug group (optional):	Security
Customer ID:	14289
Max CVSS v3 score:

Flags:	best: Patch_Available+

Attachments
patch (deleted) 2021-06-24 14:47 CEST, Florian Best	Details
patch (2.08 KB, patch) 2021-06-24 14:48 CEST, Florian Best	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirk Schnick

2020-05-07 10:25:21 CEST

A customer has reported that we do not use the cookie secure flag. Connection downgrades make it possible to retrieve session cookies in insecure networks.

As Florian suggested it would be an improvement if we set the flag when connecting via https.

Comment 1 Florian Best

2021-06-24 14:47:34 CEST

Created attachment 10758 [details]
patch

Comment 2 Florian Best

2021-06-24 14:48:08 CEST

The content of attachment 10758 [details] has been deleted

Comment 3 Florian Best

2021-06-24 14:48:36 CEST

Created attachment 10759 [details]
patch

Comment 5 Florian Best

2021-06-24 15:00:41 CEST

Fixed in:

univention-management-console.yaml
f46f67718adb | Bug #51242: make it possible to set secure cookies

univention-management-console (12.0.12-9)
f46f67718adb | Bug #51242: make it possible to set secure cookies

Comment 6 Dirk Wiesenthal

2021-06-30 12:37:13 CEST

Code: OK
YAML: OK
Cookies: OK, set with Secure: true if

ucr set umc/http/enforce-secure-cookie=true

Comment 7 Erik Damrose

2021-06-30 18:54:20 CEST

<https://errata.software-univention.de/#/?erratum=5.0x40>