Session cookies for the HTTPS and HTTP versions of the site broken
| Project: | Drupal |
| Version: | 6.8 |
| Component: | base system |
| Category: | support request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
http://drupal.org/node/170310 resulted in a code change to core that is supposed to support session cookies for the HTTPS and HTTP versions of a site and protect against HTTPS cookie hijacking.
Test case:
OS: CentOS 4
PHP: 4.3.9
Apache: 2.0.52 with mod_ssl
Drupal: Stock 6.8 with ../sites/default/settings.php edit (other than db_url):
-begin-
if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
ini_set('session.cookie_secure', 1);
}
-end-
session.cookie_secure is not set in php.ini:
-begin-
[root@XXXXX ~]# grep secure /etc/php.ini
; sets some non standard settings, that make PHP more efficient, more secure,
mssql.secure_connection = Off
-end-
Do a temporary edit to dump out $_SERVER and make a HTTPS request to demonstrate HTTPS is indeed on:
-begin-
Array
(
[HTTPS] => on
[SSL_VERSION_INTERFACE] => mod_ssl/2.0.52
[SSL_VERSION_LIBRARY] => OpenSSL/0.9.7a
[snip]
-end-
Clear all cookies for the site in your browser.
Make a HTTP request to the site.
A session cookie is set (for anonymous user) and the browser Send[s] For: Any type of connection
Make a HTTPS request to the site to login (/user).
Another session cookie is set (presumably also for anonymous user as haven't passed credentials yet) and the browser Send[s] For: Encrypted connections only.
Do a HTTPS request to login with (admin) credentials.
Once logged in, edit the URL to switch over to HTTP. i.e. change:
https://www.example.com/user/1
to:
Get thrown:
Access denied
You are not authorized to access this page.
Edit the URL to switch back to HTTPS and then you have a valid session again.
So, it seems like the logged in user never gets a session cookie for the HTTP version of the site (or it is overwritten).
Please advise.
Cheers
#1
If I understand correctly, you added this to your settings.php:
<?php
if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
ini_set('session.cookie_secure', 1);
}
That means that you want PHP to set the "secure" flag on the session cookie: this secure flag will prevent the browser from sending that cookie to non-SSL connections.
So the behavior is expected.
#2
My understanding is that the previous bug (170310) and the code change to core provides the capability to switch between HTTP and HTTPS sessions on the same site (without losing login session).
That is the configuration I am trying to achieve.
If I have misunderstood the capability provided by code change that arose out of 170310, can you please enlighten me?
Cheers
#3
No, #170310: session.cookie_secure: SSL cookie gets over-written by non-SSL cookie only introduced the possibility to have *different* cookies between HTTP and HTTPS.
To use the same cookie between the two sessions, you don't have to do anything. Just leave Drupal deal with it, and don't mess with
session.cookie_secure.#4
To use the same cookie between the two sessions, you don't have to do anything. Just leave Drupal deal with it, and don't mess with session.cookie_secure.
If doing this, are you not exposing your users to HTTPS Cookie Hijacking (http://fscked.org/blog/fully-automated-active-https-cookie-hijacking)?
I too was under the understanding that #170310's intention was to allow for both secure and non-secure session cookies while maintaining a user's logged-in session as they switch between HTTP and HTTPS...
#5
I could set session.cookie_secure in php.ini instead of setting it in settings.php as I have done - bootstrap.inc will look for it.
Look at the comments (and code) in bootstrap.inc:
// To prevent session cookies from being hijacked, a user can configure the
// SSL version of their website to only transfer session cookies via SSL by
// using PHP's session.cookie_secure setting. The browser will then use two
// separate session cookies for the HTTPS and HTTP versions of the site. So we
// must use different session identifiers for HTTPS and HTTP to prevent a
// cookie collision.
if (ini_get('session.cookie_secure')) {
$session_name .= 'SSL';
Is drupal not suggesting it does exactly what I am trying to achieve?
I still maintain that it is broken or that it does not work as advertised (in the bootstrap.inc comments).
Cheers
#6
@blender1968: you have to choose one, you can't have both:
#7
Automatically closed -- issue fixed for 2 weeks with no activity.