Page MenuHomePhabricator

WMF-Last-Access cookies doesn't set Secure flag
Closed, DuplicatePublic

Description

The "WMF-Last-Access" cookie is not secure now. Although HSTS is enabled, Secure flag is still needed, since old browsers don't support HSTS, and it is possible for users to clear the HSTS records without clearing cookies.

About WMF-Last-Access: https://wikitech.wikimedia.org/wiki/Analytics/Unique_clients/Last_access_solution

Event Timeline

Chmarkine raised the priority of this task from to Needs Triage.
Chmarkine updated the task description. (Show Details)
Chmarkine added a project: HTTPS.
Chmarkine added subscribers: Chmarkine, BBlack, JanZerebecki.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 10 2015, 7:55 AM

Change 224029 had a related patch set uploaded (by Chmarkine):
Secure GeoIP and WMF-Last-Access cookies

https://gerrit.wikimedia.org/r/224029

Chmarkine renamed this task from GeoIP cookie doesn't set Secure flag to GeoIP and WMF-Last-Access cookies don't set Secure flag.Jul 10 2015, 8:39 AM
Chmarkine set Security to None.
Chmarkine updated the task description. (Show Details)
Chmarkine added subscribers: ori, faidon.

Change 224029 abandoned by Chmarkine:
Add "Secure" flag to GeoIP cookie

Reason:
I agree now. I neglected the fact that a MITM can obtain the user's location by looking up his the victim's IP address directly.

https://gerrit.wikimedia.org/r/224029

Chmarkine renamed this task from GeoIP and WMF-Last-Access cookies don't set Secure flag to WMF-Last-Access cookies doesn't set Secure flag.Jul 28 2015, 4:14 PM
Chmarkine updated the task description. (Show Details)
Chmarkine removed a project: Patch-For-Review.
MZMcBride added a subscriber: MZMcBride.

This seems fairly straightforward to do, so I've tagged this task with the good first bug keyword accordingly. If this is mistaken, please feel free to revert.

Krenair added a subscriber: Krenair.
chasemp triaged this task as Normal priority.Oct 28 2015, 7:23 PM
chasemp added a project: Traffic.
Dzahn moved this task from Backlog to Cookies on the HTTPS board.Dec 3 2015, 10:26 PM