Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[5.x] Fix secure flag for session cookies #43882

Merged
merged 3 commits into from
Aug 5, 2024
Merged

[5.x] Fix secure flag for session cookies #43882

merged 3 commits into from
Aug 5, 2024

Conversation

SniperSister
Copy link
Contributor

@SniperSister SniperSister commented Aug 5, 2024
edited
Loading

Summary of Changes

The rework of the session management introduced in 5.x broke the code that sets the secure flag for the session cookie on sites with enforced HTTPS. The $options variable, containing the config isn't passed to the storage anymore, resulting in the absence of the flag regardless of the configuration state:
84776fb#diff-bc8698a8418bcc017e622d13e0d460e94f502f09ae0f9c50cb6cd9f7ede73cb0L90

Testing Instructions

Enable "force SSL" on a 5.x site, inspect the session cookie using your developer tools. Verify that the flag is absent. Apply the patch and delete the cookie in your browser. Refresh.

Actual result BEFORE applying this Pull Request

No secure flag

Expected result AFTER applying this Pull Request

secure flag is set as expected

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

@SniperSister
Copy link
Contributor Author

I've labeled the PR as release blocker because it's security relevant

@HLeithner
Copy link
Member

I have tested this item ✅ successfully on a459e59

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43882.

1 similar comment
@dautrich
Copy link

dautrich commented Aug 5, 2024

I have tested this item ✅ successfully on a459e59

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43882.

@alikon
Copy link
Contributor

alikon commented Aug 5, 2024

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43882.

@joomla-cms-bot joomla-cms-bot added the RTC This Pull Request is Ready To Commit label Aug 5, 2024
@Quy Quy mentioned this pull request Aug 5, 2024
Closed
4 tasks
@wilsonge wilsonge merged commit aa82e89 into joomla:5.1-dev Aug 5, 2024
3 checks passed
@joomla-cms-bot joomla-cms-bot removed the RTC This Pull Request is Ready To Commit label Aug 5, 2024
@wilsonge
Copy link
Contributor

wilsonge commented Aug 5, 2024

My bad! Must have had something in mind at some point - but no clue what 3 years later :(

@richard67 richard67 added this to the Joomla! 5.1.3 milestone Aug 5, 2024
dgrammatiko pushed a commit to dgrammatiko/joomla-cms that referenced this pull request Aug 11, 2024
@SniperSister @QuyTon @dgrammatiko
[5.x] Fix secure flag for session cookies (joomla#43882)
5a3c1f3 
* Fix setting secure cookie flag for https-encorced sites

* apply for all sessions

---------

Co-authored-by: Quy <quy@nomonkeybiz.com>
dgrammatiko pushed a commit to dgrammatiko/joomla-cms that referenced this pull request Aug 11, 2024
@SniperSister @QuyTon @dgrammatiko
[5.x] Fix secure flag for session cookies (joomla#43882)
77dffd8 
* Fix setting secure cookie flag for https-encorced sites

* apply for all sessions

---------

Co-authored-by: Quy <quy@nomonkeybiz.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Joomla! 5.1.3
Development

Successfully merging this pull request may close these issues.
9 participants
@SniperSister @HLeithner @dautrich @alikon @wilsonge @Quy @richard67 @joomla-cms-bot @QuyTon