First Last Prev Next    This bug is not in your last search results.
Bug 53531 - Cookie "UMCLang" without "Secure: true"
Cookie "UMCLang" without "Secure: true"
Status: NEW
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UMC maintainers
UMC maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-06-30 12:44 CEST by Dirk Wiesenthal
Modified: 2022-02-23 14:42 CET (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.046
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Wiesenthal univentionstaff 2021-06-30 12:44:23 CEST 
We have a "frontend cookie", that is only set by our frontend and only used by our frontend. It stores the preferred language across "login sessions".

This cookie is not set with Secure: true, issuing a browser warning when used in a HTTPS session:

Cookie “UMCLang” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Same with a cookie named _umcCookieCheck - apparently only used to check the browser feature.
Comment 1 Dirk Wiesenthal univentionstaff 2021-06-30 12:45:40 CEST 
... and maybe even UMCUsername? Could not find it in the cookie store, but a warning by the browser was seen.
Comment 2 Florian Best univentionstaff 2021-06-30 14:23:37 CEST 
(In reply to Dirk Wiesenthal from comment #1)
> ... and maybe even UMCUsername? Could not find it in the cookie store, but a
> warning by the browser was seen.

No, UMCUsername is removed in the frontend after a login.
First Last Prev Next    This bug is not in your last search results.