Session Cookies should have SECURE attribute
I have been advised by a security consultant:
The "Secure" option is not set on the "cms_75fb5_loginsession" and
"cms_75fb5_PHPSESSID" session cookies used by the application.
The "Secure" option restricts the cookie to being sent over secure (i.e. HTTPS)
connections. Any sensitive cookie used over HTTPS should have this option set.
When the option is not set, if the user accesses the site over HTTP, the cookie
will be transmitted unencrypted, and be vulnerable to sniffing by an attacker.
It is recommended that the "Secure" option is used with any cookies set by the
application. The secure cookie option is extremely important when the application
operates over HTTPS, as this cookie option will prevent the session token being
sent over unencrypted transport layers.
Could someone please tell me where to make this change in cmsBuilder?
You could replace that line with this:
$cookieSecure = $GLOBALS['SETTINGS']['advanced']['requireHTTPS'] && isHTTPS();
setcookie($cookieName, $cookieValue, $cookieExpires, $cookiePath, null, $cookieSecure, $cookieHttpOnly);
And it would send the "secure" cookie flag. But if you have "Require HTTPS" set under Admin > General then no access will be permitted (or cookies sent) from the CMS unless it's over a secure channel.
Also, Ross forwarded the additional notes so I'll review those as well.
Thanks for your suggestion, which I have now implemented.
I look forward to hearing back from you regarding the other items too.
That replacement code looks perfect, just to explain; although the app won't issue a cookie unless you connect to the site over a secure channel. Once that cookie has been issued - the browser will still send it with every request (over HTTP or HTTPS) unless this flag is set.