mahara-contributors team mailing list archive

[Mahara Bot <1384009@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://reviews.mahara.org/3939
Committed: http://gitorious.org/mahara/mahara/commit/e7d46cfc36d0a45a99c7dd598a455e0556d9f4b5
Submitter: Aaron Wells (aaronw@xxxxxxxxxxxxxxx)
Branch:    master

commit e7d46cfc36d0a45a99c7dd598a455e0556d9f4b5
Author: Aaron Wells <aaronw@xxxxxxxxxxxxxxx>
Date:   Thu Nov 6 19:08:28 2014 +1300

Make Cookie Consent set the "secure" flag over HTTPS

Bug 1384009

Change-Id: I4b29a6de4d0ccb9970b909adc8382d842cc8a1c8

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1384009

Title:
  Cookie lacking "secure" flag for HTTPS sites

Status in Mahara ePortfolio:
  In Progress
Status in Mahara 1.10 series:
  New
Status in Mahara 1.8 series:
  New
Status in Mahara 1.9 series:
  New
Status in Mahara 15.04 series:
  In Progress

Bug description:
  The cookie "lastinstitution" that we use to show the proper
  institution theme to logged-out users, does not properly use the
  "secure" attribute for sites that are using HTTPS. This means it's
  possible for the cookie's contents to be obtained via non-HTTPS.

  Not a huge thing, since its use is somewhat limited in scope, and the
  "lastinstitution" data is not very sensitive, but it would be good to
  use it.

  While we're at it, we might also want to check on the (much more
  important) PHP session cookie. This can be set at the server level,
  but we could also check for it in PHP. See
  http://stackoverflow.com/questions/6821883/set-httponly-and-secure-on-
  phpsessid-cookie-in-php for details on that.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1384009/+subscriptions