Page MenuHomePhabricator
Create Task
Maniphest T119576

Mark cookies from varnish as secure
Closed, ResolvedPublic
Actions

Description

GeoIP and WMF-Last-Access cookies come from Varnish. We should be marking them as secure!

Details

SubjectRepoBranchLines +/-
secure CP cookieoperations/puppetproduction+2 -2
secure WMF-Last-Access cookieoperations/puppetproduction+2 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

Reedy created this task.Nov 24 2015, 10:57 PM
Reedy raised the priority of this task from to Needs Triage.
Reedy updated the task description. (Show Details)
Reedy added projects: HTTPS, Varnish.
Reedy added subscribers: Krenair, Aklapper, csteipp and 2 others.
Dzahn moved this task from Backlog to Cookies on the HTTPS board.Dec 3 2015, 7:11 PM
Aklapper added a project: Traffic.Feb 23 2016, 6:12 PM
Restricted Application added a project: SRE. · View Herald TranscriptFeb 23 2016, 6:12 PM
gerritbot added a subscriber: gerritbot.Apr 6 2016, 7:15 PM

Change 281979 had a related patch set uploaded (by BBlack):
secure WMF-Last-Access cookie T119576

https://gerrit.wikimedia.org/r/281979

gerritbot added a project: Patch-For-Review.Apr 6 2016, 7:15 PM

Change 281980 had a related patch set uploaded (by BBlack):
secure GeoIP cookie T119576

https://gerrit.wikimedia.org/r/281980

BBlack added a subscriber: BBlack.Apr 6 2016, 7:35 PM

Note there are probably question-marks around these about insecure requests. We don't yet block/deny insecure POST traffic ( T105794 ), but we've been warning about it and trying to weed them out from top log entries for a long time now, and sending warnings on the API requests. This could break requests which currently send these two cookies along with an insecure POST , but IMHO we're well past the date range where we can say "Hey, fix your insecure POST traffic instead of complaining about the broken cookies"

gerritbot added a comment.Apr 7 2016, 7:02 PM

Change 281980 merged by BBlack:
secure GeoIP cookie T119576

https://gerrit.wikimedia.org/r/281980

gerritbot added a comment.Apr 7 2016, 7:02 PM

Change 281979 merged by BBlack:
secure WMF-Last-Access cookie T119576

https://gerrit.wikimedia.org/r/281979

BBlack closed this task as Resolved.Apr 7 2016, 7:05 PM
BBlack claimed this task.
BBlack merged a task: T105451: WMF-Last-Access cookies doesn't set Secure flag.Apr 12 2016, 4:29 PM
BBlack added subscribers: MZMcBride, faidon, ori and 2 others.
gerritbot added a comment.Apr 19 2016, 12:13 AM

Change 284110 had a related patch set uploaded (by BBlack):
secure WMF-Last-Access cookie

https://gerrit.wikimedia.org/r/284110

gerritbot added a comment.Apr 19 2016, 12:13 AM

Change 284111 had a related patch set uploaded (by BBlack):
secure CP cookie

https://gerrit.wikimedia.org/r/284111

Reedy reopened this task as Open.Apr 19 2016, 12:24 AM
gerritbot added a comment.Apr 19 2016, 12:26 AM

Change 284110 merged by BBlack:
secure WMF-Last-Access cookie

https://gerrit.wikimedia.org/r/284110

gerritbot added a comment.Apr 19 2016, 1:49 AM

Change 284111 merged by BBlack:
secure CP cookie

https://gerrit.wikimedia.org/r/284111

BBlack closed this task as Resolved.Apr 19 2016, 3:56 PM

All Set-Cookie: emitted by varnish have the secure flag

Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptApr 19 2016, 3:56 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL