Sign up |
I have been advised by a security consultant:
The "Secure" option is not set on the "cms_75fb5_loginsession" and
"cms_75fb5_PHPSESSID" session cookies used by the application.
The "Secure" option restricts the cookie to being sent over secure (i.e. HTTPS)
connections. Any sensitive cookie used over HTTPS should have this option set.
When the option is not set, if the user accesses the site over HTTP, the cookie
will be transmitted unencrypted, and be vulnerable to sniffing by an attacker.
It is recommended that the "Secure" option is used with any cookies set by the
application. The secure cookie option is extremely important when the application
operates over HTTPS, as this cookie option will prevent the session token being
sent over unencrypted transport layers.
Could someone please tell me where to make this change in cmsBuilder?
If I was to change line 480 in /cmsAdmin/lib/common.php from:
setcookie($cookieName, $cookieValue, $cookieExpires, $cookiePath, null, false, $cookieHttpOnly);
setcookie($cookieName, $cookieValue, $cookieExpires, $cookiePath, null, true, $cookieHttpOnly);
Would that resolve the issue by enabling the secure attribute?
If it's a sensible change to make then perhaps it should be considered in the core unless you have your reasoning for not making this change.
Thank you for your help.
You could replace that line with this:
$cookieSecure = $GLOBALS['SETTINGS']['advanced']['requireHTTPS'] && isHTTPS();
setcookie($cookieName, $cookieValue, $cookieExpires, $cookiePath, null, $cookieSecure, $cookieHttpOnly);
And it would send the "secure" cookie flag. But if you have "Require HTTPS" set under Admin > General then no access will be permitted (or cookies sent) from the CMS unless it's over a secure channel.
Also, Ross forwarded the additional notes so I'll review those as well.
That replacement code looks perfect, just to explain; although the app won't issue a cookie unless you connect to the site over a secure channel. Once that cookie has been issued - the browser will still send it with every request (over HTTP or HTTPS) unless this flag is set.