Page MenuHomePhabricator
Create Task
Maniphest T105451

WMF-Last-Access cookies doesn't set Secure flag
Closed, DuplicatePublic
Actions

Description

The "WMF-Last-Access" cookie is not secure now. Although HSTS is enabled, Secure flag is still needed, since old browsers don't support HSTS, and it is possible for users to clear the HSTS records without clearing cookies.

About WMF-Last-Access: https://wikitech.wikimedia.org/wiki/Analytics/Unique_clients/Last_access_solution

Details

SubjectRepoBranchLines +/-
Add "Secure" flag to GeoIP cookieoperations/puppetproduction+1 -1
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedBBlackT104681 HTTPS Plans (tracking / high-level info)
 DuplicateNoneT105451 WMF-Last-Access cookies doesn't set Secure flag

Event Timeline

Chmarkine created this task.Jul 10 2015, 7:55 AM
Chmarkine raised the priority of this task from to Needs Triage.
Chmarkine updated the task description. (Show Details)
Chmarkine added a project: HTTPS.
Chmarkine added subscribers: Chmarkine, BBlack, JanZerebecki.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 10 2015, 7:55 AM
gerritbot subscribed.Jul 10 2015, 8:36 AM

Change 224029 had a related patch set uploaded (by Chmarkine):
Secure GeoIP and WMF-Last-Access cookies

https://gerrit.wikimedia.org/r/224029

gerritbot added a project: Patch-For-Review.Jul 10 2015, 8:36 AM
Chmarkine renamed this task from GeoIP cookie doesn't set Secure flag to GeoIP and WMF-Last-Access cookies don't set Secure flag.Jul 10 2015, 8:39 AM
Chmarkine set Security to None.
Chmarkine updated the task description. (Show Details)
Chmarkine added subscribers: ori, faidon.
Chmarkine added a parent task: T104681: HTTPS Plans (tracking / high-level info).Jul 10 2015, 9:17 AM
Chmarkine updated the task description. (Show Details)
gerritbot added a comment.Jul 28 2015, 4:12 PM

Change 224029 abandoned by Chmarkine:
Add "Secure" flag to GeoIP cookie

Reason:
I agree now. I neglected the fact that a MITM can obtain the user's location by looking up his the victim's IP address directly.

https://gerrit.wikimedia.org/r/224029

Chmarkine renamed this task from GeoIP and WMF-Last-Access cookies don't set Secure flag to WMF-Last-Access cookies doesn't set Secure flag.Jul 28 2015, 4:14 PM
Chmarkine updated the task description. (Show Details)
Chmarkine removed a project: Patch-For-Review.
MZMcBride added a project: good first task.Jul 29 2015, 2:42 AM
MZMcBride subscribed.

This seems fairly straightforward to do, so I've tagged this task with the good first task keyword accordingly. If this is mistaken, please feel free to revert.

Krenair added a project: SRE.Oct 27 2015, 2:30 PM
Krenair subscribed.
chasemp triaged this task as Medium priority.Oct 28 2015, 7:23 PM
chasemp added a project: Traffic.
Dzahn moved this task from Backlog to Cookies on the HTTPS board.Dec 3 2015, 10:26 PM
BBlack closed this task as a duplicate of T119576: Mark cookies from varnish as secure.Apr 12 2016, 4:29 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL