HomePhabricator

In the web installer, use secure session cookies
b10c41a2947eUnpublished

Authored by tstarling on Jun 25 2020, 6:03 AM.

Unpublished Commit · Learn More

  • Publishing Disabled: All publishing is disabled for this repository.
  • Not On Permanent Ref: This commit is not an ancestor of any permanent ref.

Description

In the web installer, use secure session cookies

When starting a session when the detected protocol is HTTPS, use
cookie_secure=1 so that the session cookie has the secure attribute.

Without the secure attribute, a CSRF attack could be used to send
cookies over an insecure channel, leaking the session ID to an attacker
with network access.

Change-Id: I1a4b612425a16da1a7a8fd855f376a377b0b48d7
(cherry picked from commit 9ba8f8d12475a37848eaadae0effae8d956e3342)

Details

Committed
ReedyJun 25 2020, 1:32 PM
Parents
rMWb5f555a3c1b5: Start 1.31.9
Branches
Unknown
Tags
Unknown
ChangeId
I1a4b612425a16da1a7a8fd855f376a377b0b48d7

Event Timeline