Page MenuHomePhabricator

Mark cookies from varnish as secure
Closed, ResolvedPublic

Description

GeoIP and WMF-Last-Access cookies come from Varnish. We should be marking them as secure!

Event Timeline

Reedy created this task.Nov 24 2015, 10:57 PM
Reedy raised the priority of this task from to Needs Triage.
Reedy updated the task description. (Show Details)
Reedy added projects: HTTPS, Varnish.
Reedy added subscribers: Krenair, Aklapper, csteipp and 2 others.
Dzahn moved this task from Backlog to Cookies on the HTTPS board.Dec 3 2015, 7:11 PM
Restricted Application added a project: Operations. · View Herald TranscriptFeb 23 2016, 6:12 PM

Change 281979 had a related patch set uploaded (by BBlack):
secure WMF-Last-Access cookie T119576

https://gerrit.wikimedia.org/r/281979

Change 281980 had a related patch set uploaded (by BBlack):
secure GeoIP cookie T119576

https://gerrit.wikimedia.org/r/281980

BBlack added a subscriber: BBlack.Apr 6 2016, 7:35 PM

Note there are probably question-marks around these about insecure requests. We don't yet block/deny insecure POST traffic ( T105794 ), but we've been warning about it and trying to weed them out from top log entries for a long time now, and sending warnings on the API requests. This could break requests which currently send these two cookies along with an insecure POST , but IMHO we're well past the date range where we can say "Hey, fix your insecure POST traffic instead of complaining about the broken cookies"

Change 281980 merged by BBlack:
secure GeoIP cookie T119576

https://gerrit.wikimedia.org/r/281980

Change 281979 merged by BBlack:
secure WMF-Last-Access cookie T119576

https://gerrit.wikimedia.org/r/281979

BBlack closed this task as Resolved.Apr 7 2016, 7:05 PM
BBlack claimed this task.

Change 284110 had a related patch set uploaded (by BBlack):
secure WMF-Last-Access cookie

https://gerrit.wikimedia.org/r/284110

Change 284111 had a related patch set uploaded (by BBlack):
secure CP cookie

https://gerrit.wikimedia.org/r/284111

Reedy reopened this task as Open.Apr 19 2016, 12:24 AM

Change 284110 merged by BBlack:
secure WMF-Last-Access cookie

https://gerrit.wikimedia.org/r/284110

Change 284111 merged by BBlack:
secure CP cookie

https://gerrit.wikimedia.org/r/284111

BBlack closed this task as Resolved.Apr 19 2016, 3:56 PM

All Set-Cookie: emitted by varnish have the secure flag

Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptApr 19 2016, 3:56 PM