Session Cookies should have SECURE attribute

5 posts by 2 authors in: Forums > CMS Builder
Last Post: January 10, 2014   (RSS)

By gversion - January 7, 2014

If I was to change line 480 in /cmsAdmin/lib/common.php from:

  setcookie($cookieName, $cookieValue, $cookieExpires, $cookiePath, null, false, $cookieHttpOnly);

to:

  setcookie($cookieName, $cookieValue, $cookieExpires, $cookiePath, null, true, $cookieHttpOnly);

Would that resolve the issue by enabling the secure attribute?

If it's a sensible change to make then perhaps it should be considered in the core unless you have your reasoning for not making this change.

Thank you for your help.

Regards,

Greg

By Dave - January 9, 2014

Hi Greg, 

You could replace that line with this: 

$cookieSecure = $GLOBALS['SETTINGS']['advanced']['requireHTTPS'] && isHTTPS();
setcookie($cookieName, $cookieValue, $cookieExpires, $cookiePath, null, $cookieSecure, $cookieHttpOnly);

And it would send the "secure" cookie flag.  But if you have "Require HTTPS" set under Admin > General then no access will be permitted (or cookies sent) from the CMS unless it's over a secure channel.

Also, Ross forwarded the additional notes so I'll review those as well.

Thanks!

Dave Edis - Senior Developer
interactivetools.com

Hi Dave,

Thanks for your suggestion, which I have now implemented.

I look forward to hearing back from you regarding the other items too.

Kind regards,

Greg

Hi Dave,

That replacement code looks perfect, just to explain; although the app won't issue a cookie unless you connect to the site over a secure channel. Once that cookie has been issued - the browser will still send it with every request (over HTTP or HTTPS) unless this flag is set.

Regards,

Greg