Dual http/https session cookies interfere with drupal_valid_token()

subscribe just for fun (I'm not a fan of $conf['https'] but curious to follow the #action)

Module authors that *want* tokens to be restricted to one protocol can still do so, they'd just need to check $_SERVER['https'] in the validation logic.

My reading of the patch is that the token is received from the server via HTTP, then could be passed back to the server along with the insecure session cookie via either HTTP or HTTPS as a valid token.

It depends how the token is used (I need to dig into the fapi when I have time), but theoretically what chx talks about in #1 would be more secure: you could create a token that would only be valid if passed back with the secure session cookie via HTTPS.

to clarify my comment in #4, I was just wondering if there's any chance of token validation alone being used for some sort of privilege escalation (accessing a cached form or something) if the token is passed in via HTTPS by an attacker (with insecure session key but not the secure session key needed for user authentication). I haven't yet had a chance to dig in to how tokens are used (by core or contrib)

subscribing

@grendzy: The issue is that this patch allows a token to be validated with the insecure session id (which could be intercepted by an attacker via packet sniffing) on the secure site (which otherwise requires the secure session id for user authentication).

This isn't necessarily a problem if both token validation and user authentication are always required by the code that relies on tokens, since an attacker shouldn't be able to authenticate on the secure site with just the insecure session id. But I did want to point out the risk.

AFAICS, Drupal never supported this so far, so this is a good and possibly backportable improvement, but not a bug.

You might have better luck if you do some of the thinking for the reviewers.

For example, in #1050746 you either have to install Secure Pages and run the tests or code-read the patch just to know what session issues you've fixed. Unknowns are often written off as too much work. By stating what the patch fixes in words people can get an idea of what's involved before they start. It might even encourage people to review just a portion of the issue rather than the whole (as I did).

Just my $0.02. ;)

I think this tag is appropriate.

The last submitted patch, 961508.patch, failed testing.

In an effort to move these along by providing feedback, here is a quick overview.

• http://drupal.org/project/securepages requires 3 core patches to make it to a stable release #952820: Drupal 7 port
• These 3 patches + the settings.php configuration need to be committed in tandem.
• Two people (myself here http://drupal.org/node/952820#comment-5213578 and Majestixs here http://drupal.org/node/952820#comment-5214816) have successfully got the system to work with the 3 pages and settings configuration.
• This post is being crossed posted in all 3 issues queues #1050746: HTTPS sessions not working in all cases, #961508: Dual http/https session cookies interfere with drupal_valid_token(), and #471970: DrupalWebTestCase->getAbsoluteUrl should use internal browser's base URL in an effort to provide feedback and RBTC for all 3.
• The only thing left is the security review. If this requires us to switch back to ‘needs review’, please do so!

Thanks for fixing the shoddy work I did with the HTTP/HTTPS mechanism. However, this needs a test. Thanks again.

Adding session tag.

For what it's worth, #3 (for D7) and #23 (for D8) are almost identical and #23 applies fine on D7.10 as well.

Patch from #23 re-rolled against 7.x for drush make file.

If someone can suggest where (which file) the tests should go, and give a high level summary of what to test I have some funded time to get this done.

@grendzy

Thanks for the help. I think I can do this.

I created the menu item and form in form_test.module, and I created a new test case in form.test. I notice that httpUrl() and httpsUrl() are not part of the web test case, but are in session.test. What is the preferred way to load the required class?

Also, it looks like what I need to do is get the proper absolute URLs from httpsUrl and httpUrl() and then to do a $this->drupalPost(), is that correct?

Does anyone disagree with @grendzy's recommendation to move httpUrl() and httpsUrl() to DrupalWebTestCase?

I'm not sure about 1. For 2, it looks like session.test alters the action this way:

Perhaps the hyphen at the beginning of -form-test-https-only-form? I'm not sure though. I've found the xpath error messages not the greatest for debugging.

chaskype, the URL in your comment ( http://drupal.org/node/707484 ) is a link to the handbook page documenting how to apply patches, not part of the apply command. #21 will apply to Drupal 7, and #23 is for Drupal 8.

Tagging as a SecurePages release blocker.

#21: 961508-20.patch queued for re-testing.

@Everett Zufelt
Did you ever get your test working? Do you have a patch for what you've completed thus far? It seems from a code perspective, no one has any complaints... it's just a test that's holding this up.

Additionally, I'm not sure if anyone gave feedback on #39. Anyone have any complaints with this approach?

I really appreciate everyone's work on this, but is there any update? I must admit using the combination of the other modules I've cobbled together to redirect is tough to maintain and not nearly as clean as Secure Pages on Drupal 6.x. Wish I knew enough to contribute.

The last submitted patch, 961508-23-32-D7.patch, failed testing.

Can we get an update on this? May 4th was expected to be worked on 2 months later no progress? Preventing secure pages module full release, probably even preventing people from upgrading to drupal 7.

Hi,

Thanks for all the time everyone's put into this. I'm a little confused in relation to Drupal 7 having found this thread on the SecurePages project page under fixes for D7.

Does anybody know if the patch has been put into D7 core (e.g. the latest 7.15 release)? Or is even on the agenda for D7 core development?

Bumping this to critical. Without SSL switching, how can you build an eCommerce site.

Could we see the same priority for this as well?

http://drupal.org/node/471970

Then Secure Pages can be released properly. I have built an e-commerce site around D7, but we can't go live with online sales until these issues are fixed.

@alexp999 - It's completely valid to "patch" (not hack) core. Just go ahead and apply the patch yourself until this makes it in. Just be careful that you don't loose the patch the next time you update though.

Agreed with #66. I've had to reapply at least 2 of the patches with each new Drupal 7.x branch release... and I understand the need to properly place in D8 and backport with tests, etc... but we've had a terrible time getting the momentum to push this through despite the fact that it works, etc.

See my early comments, reviews, etc. I've been running 2 commerce sites with said patches and have also marked this RBTC one at least one occasion. But we're stuck on #52 to provide tests in order to get this fully committed, etc.

If the Drupal community truly takes security seriously, then it's kinda sad that this module STILL doesn't have a full release despite all the help in this thread!

Sorry, didn't mean to rant... you guys all rock. But this patch seems to be in perpetual purgatory...

No, tests are generally needed for all bug fixes, regardless of version, because that's how we make sure we don't break things ever again. There are once in a great while exceptions to this, but given how critical this functionality is, it seems even more prudent to ensure there are tests for it.

Step 1 is for one of the 78 people following this issue to analyze the work Everett's done and try and get it working. If it's not possible, explain where you got stuck. From there we can figure out if it's worth committing the fix in advance of the test, but hopefully the more likely scenario is just pinging someone with specific knowledge to move it forward once we understand what the blocker is.

Here's a patch based on #32 with a test added as suggested by @grendzy in #35. It also moves the httpUrl and httpsUrl methods to DrupalWebTestCase from SessionTestCase.

This doesn't include tests for the changes to drupal_get_token, just the #https form property.

Should I include a test based on #5 (the TEST ONLY patch)?

The last submitted patch, drupal-https-only-961508-23-32.patch, failed testing.

@maen: you can patch D7 by using the patch in #32 -- usual warnings concerning patching Drupal core apply.

I have re-factored the patch from #71 for D8:

• There was a syntax error in one of the asserts (t()-function not correctly closed).
• Moved SessionHttpsTest::httpUrl() and SessionHttpsTest::httpsUrl() to WebTestBase since they are now shared between multiple test cases.
• Removed an excess space from the form_set_error message.

The last submitted patch, 961508-75-https-dual-tokens.patch, failed testing.

This patch fixes the paths to the https.php/http.php files in WebTestBase.php, but still has problems submitting the form.

The last submitted patch, drupal-n961508-82-d8.patch, failed testing.

The last submitted patch, drupal-n961508-85-d8.patch, failed testing.

What do we need to do to get this backported to Drupal 7? This is one of the critical patches that is need for serious commerce, and continue to keep Drupal easy to maintain. Can someone in the know list exactly what needs to happen, so we know where we are? I will try to help where I can.

The patch in #85 failed:

quickstart@qs10:/home/dm8$ git apply drupal-n961508-85-d8.patch
error: patch failed: core/modules/system/lib/Drupal/system/Tests/Session/SessionHttpsTest.php:46
error: core/modules/system/lib/Drupal/system/Tests/Session/SessionHttpsTest.php: patch does not apply

So just re-rolling it.

From the test details, I don't know why we are getting "HTTP response expected 200, actual 403" in this unless it isn't being sent via https. This should work:
$this->assertResponse(200);

The errors in Drupal\system\Tests\Session\SessionTest all look like they should be green. I don't understand what the bot is looking for.

Nixed an extra }

Subscribing, it is hard to know which patch to use.

And here is new patch for test bot.

Missed some forward slashes. Try again.

Working on fixing tests. Hope to post new patch tomorrow.

The last submitted patch, drupal-https_session_cookies-961508_101.patch, failed testing.

ooppps and send to bot.

OK cleared up an incorrect assertion. Now left with only one fail I believe.

Can not figure out why it's failing.

Need the assistance of someone with more experience. Would also like my work checked, as I am not sure I am making changes to the test's correctly. It seems logical to me but could be wrong.

I might be saying this a bit late, but this patch may be wiped out if #335411: Switch to Symfony2-based session handling gets in.

OK fixed the final test. Not sure if I am correct in my assumption, but I believe the login page should also be non-secure.

At least if this comes back green and #335411: Switch to Symfony2-based session handling does not get in, we are good to go.

Yes, it would be great for D7 (and D8 if Symfony session handling does not get in).

This patch for D7 has been ready since #21 (granted, it needs the test coverage added). The issue is simply getting it committed to D8 first so that the backport can be accepted, which would be awesome so that secure pages for D7 can finally get to a 1.0 release without requiring these patches.

#21: 961508-20.patch queued for re-testing.

This should not be blocked for D7 just because we don't know where D8 goes.

+1

I reviewed the patch and read through the entire issue. Comments:

1. The drupal_get_token() changes look pretty solid to me. My only question is whether this hurts security in the case of a site that is "mostly" HTTPS (meaning, HTTPS-enough that it does not suffer from this bug in practice) but happens to put $conf['https'] = TRUE in its settings.php file anyway? Because then all tokens on the site will start being derived from the insecure session for no particular reason. I don't see this as a blocker because it could be dealt with via documentation (at http://drupal.org/https-information, and in release notes when this gets backported to Drupal 7), but we do really need to understand what the consequences are for various sites on the entire "all-HTTPS-to-no-HTTPS spectrum" so this can be documented.
2. This part of the patch I don't understand:
   +  // Ensure the correct protocol when #https is set.
+  if (!empty($form['#https']) && !$GLOBALS['is_https']) {
+    form_set_error('', t('This form requires HTTPS. Contact the site administrator if the problem persists.'));
+  }

   First, it's totally changing the meaning of $form['#https'] from "use HTTPS for this form if the server supports it" to "the server must support HTTPS for the form to be submitted". So for example, on my non-HTTPS server, this completely breaks installing modules via the UI (using authorize.php).

   Is the intention to check variable_get('https', FALSE) here too? Then, I think it makes sense.

   However, I'm still not clear on how it relates to the rest of this issue. I read comments #4 and #5 but I'm still not seeing the scenario it protects against. (And in any case, if it's doing something to compensate for a less-secure token, then only doing it in the form API seems problematic since tokens are used outside the form API too.)

   Finally (less important), the message looks outdated... I believe at some point Drupal core moved away from telling people to spam the site administrator :) I think just "This form must be submitted over a secure connection" would work.

3. As for the tests...
   • Er, aren't the tests themselves missing??? The patch in #85 seems to be the last version that has the new test file :)
   • +    $this->assertText(t('Log in'), 'Login page loaded for first session.');

     I can't figure out why these are being added and what they accomplish?

   •      // Check that user login form action is secure.
     $this->drupalGet('user');
     $form = $this->xpath('//form[@id="user-login-form"]');
-    $this->assertEqual(substr($form[0]['action'], 0, 6), 'https:', 'Login form action is secure');
+    $this->assertNotEqual(substr($form[0]['action'], 0, 6), 'https:', 'Login form action is not secure');

     Well, at a minimum the code comment would need to be changed too, but it seems like a problem to me that this expectation is changing. Isn't it a fundamental part of the test?

   Note that some of the above may be fixed if it turns out we can remove the $form['#https'] changes from this patch (since then we could just remove the corresponding test changes also).

4. For what it's worth, what ever happened to the tests @grendzy wrote way back in #5? I'm not sure they actually got moved anywhere else, and they look pretty relevant to the drupal_get_token() changes in this issue.

The last submitted patch, drupal-https_session_cookies-961508-110.patch, failed testing.

OK have addressed some of the issues raised by @David_Rothstein.

1) Not really sure what is required here, maybe just documentation? I too am not sure of the consequences across the entire "all-HTTPS-to-no-HTTPS spectrum". I feel this needs more discussion.

2) I believe what is trying to be achieved is exactly what you quote "the server must support HTTPS for the form to be submitted".
Surely this would only break something if the form is set as HTTPS only. How would that stop you from installing modules on a non-HTTPS server? Maybe I am not understanding your concern correctly.
I would have thought that a server that supports HTTPS could still have insecure URL's, this is exactly what the issue is trying to resolve. Not sending secure forms submissions to insecure URL's, but allowing the form to be submitted to a secure URL on mixed sites.
I have however added variable_get('https', FALSE as you suggested.
Also I believe, again, this needs more investigation/discussion, as you point out tokens are used elsewhere also.
To be honest this whole concept of mixed sessions is confusing, and INMHO fraught with issues. Unless the site admin is particularly careful, there will be mistakes made. Do we really want to go to this much trouble to support such a use case?

3) I missed the actual HTTPS form test on the patch. That is now added.
I too do not understand why those assertions were added, just seemed like noise. I have deleted from the latest patch.
The last point in 3 I agree with you, it was however the only way I could get the tests failure to green. However, that was wrong. I have reverted that in this patch.
4) The tests from #5 where broken and would never pass. In particular the 'token' tests, they were calling drupal_get_token each time, and then testing to see that each time it sent the same token. However, it could not, as the function contains drupal_get_private_key() which returns a unique key each time called.
The other tests were just repeating the functionality of the new FormHttpsOnlyTest.

So finally, this patch will more then likely not pass, and somewhere there is an issue with sessions, and forms, that I have been chasing around in circles, to no avail. I think this needs a more thorough investigation and I personally do not have what it takes. Someone with more in depth knowledge of sessions and session handling needs to unravel this.

The last submitted patch, drupal-https_session-961508-124.patch, failed testing.

The last submitted patch, drupal-https_session-961508-127.patch, failed testing.

The last submitted patch, drupal_https_sessions-961508-129.patch, failed testing.

The last submitted patch, drupal_https_sessions-961508-129.patch, failed testing.

This patch contains the code from #124, with the tests for HTTPs forms merged into the existing tests that were already there, as well as a version of the drupal_get_token() tests from #5.

If all goes well, the first patch will have failures in both sets of new tests, and the second patch won't have any :)

I'm still not sure why the $form['#https'] changes are part of this issue, though (even though I think they make sense on their own). Maybe if @mfb or @grendzy are still following this issue they will have an explanation...

David, thanks very much for your help here. I have been pulling my hair out over this.

I see that your improved 'token' tests now only call 'drupal_get_token' once and compare it on HTTPS and HTTP submissions, so yes, it will return the same token, that was exactly the problem with previous version of the test. Calling it twice will never return the same token. The reason I made the change to not calling the function, but retrieving the already stored token was to get over that shortcoming, however your solution seems better IMO.

I think the reason for my issue with the form tests, is that it seemed they were trying for a fail of HTTPS form over HTTP. Exactly what you say we do not want. So yes the new test's pass with variable_get('https', FALSE), but we need it confirmed that this is the expected behavior previously sought.

Anyway, thank you very much for your support here. I am a novice and have been learning a lot as I worked through this.

It sounds more like needs review.

David_Rothstein:

First, it's totally changing the meaning of $form['#https'] from "use HTTPS for this form if the server supports it" to "the server must support HTTPS for the form to be submitted". So for example, on my non-HTTPS server, this completely breaks installing modules via the UI (using authorize.php).

Is the intention to check variable_get('https', FALSE) here too? Then, I think it makes sense.

Looking at form.inc, I see that the #https key is indeed only considered when $conf['https'] is enabled. So yes I agree the form_set_error() should only fire when in this mode (the latest patch does include this check, so I think we're good).
As to why we set ''This form requires HTTPS" in the first place... it was based on feedback from mfb early in the issue. At the moment I'm having trouble stating a specific threat model that form_set_error() protects against. It's more of a sanity check: something has gone wrong if 1. $form['#https'] is set, 2. $conf['https'] is set, and 3. we're not actually on an SSL page.

I admit I was surprised by the bad effect on authorize.php. I'm not sure, there may be a misunderstanding about (the horribly named) variable $conf['https'] itself. It does not mean merely "my server supports HTTPS" (though I suppose that's implied). It actually means "Enable mixed-mode session handling".

My only question is whether this hurts security in the case of a site that is "mostly" HTTPS (meaning, HTTPS-enough that it does not suffer from this bug in practice) but happens to put $conf['https'] = TRUE in its settings.php file anyway?

Enabling mixed-mode radically changes the behavior of sessions, and if someone "just happens" to enable this out of ignorance, I'm not sure the code can protect them (though documentation could help).

The last submitted patch, 961508-141.patch, failed testing.

#21: 961508-20.patch queued for re-testing.

Direct $_COOKIE usage seems rather hack-ish. drupal_get_token() is just meant to generate a URL-safe token that's used for validation. Manipulating the session ID outside of session_id() seems wrong. Should this logic be in that function instead?

#147: a mature CMS like Drupal 7+ probably needs to offer a solid mixed-mode handling if it is to retain its leading position now that security is on the rise "everywhere".

Ditto to what @grendzy said about which patches to use. I haven't run into a case where they need to be re-rolled for applying; the normal patch fuzz factors take into account the line number changes.

I agree with @DanZ. Acquia's Insight tool recommends that everyone use the Secure Pages module. This really should have been fixed a while back.

The last submitted patch, 961508-153.patch, failed testing.

#153: 961508-153.patch queued for re-testing.

...that's great! Now back to 8.x ;)

NOW back to 8.x

Eh, it also occurs to me that if the patch in #159 can break non-HTTPS sites but still passes tests, we're probably missing some important test coverage... I'll see if I can add something for that too.

Here's a new patch. I believe this covers everything in the last few months of comments (as well as other fixes required by recent changes in Drupal 8). Some responses:

1. David, thanks very much for your help here. I have been pulling my hair out over this.

   I see that your improved 'token' tests now only call 'drupal_get_token' once and compare it on HTTPS and HTTP submissions, so yes, it will return the same token, that was exactly the problem with previous version of the test. Calling it twice will never return the same token.

   You're welcome! Interesting, I would think call it twice should return the same token (unless the user is logged out and not maintaining a session across requests), but in any case, it seems to work now.

2. As to why we set ''This form requires HTTPS" in the first place... it was based on feedback from mfb early in the issue. At the moment I'm having trouble stating a specific threat model that form_set_error() protects against. It's more of a sanity check: something has gone wrong if 1. $form['#https'] is set, 2. $conf['https'] is set, and 3. we're not actually on an SSL page.

   Yeah, that makes sense to me; I just don't see how it's related to the rest of this issue. However, if no one else does either I guess that gives some confidence we aren't missing anything important, and fixing two bugs at once is fine by me :)

3. Direct $_COOKIE usage seems rather hack-ish. drupal_get_token() is just meant to generate a URL-safe token that's used for validation.

   We probably should put the code that reads from $_COOKIE in a helper function instead (there is similar code throughout session.inc that could be consolidated) but since it's duplicated in a couple places already, even before this patch, I think we can leave consolidating it to a followup issue (in the interest of not making this patch bigger and harder to review).

4. Manipulating the session ID outside of session_id() seems wrong. Should this logic be in that function instead?

   We're not manipulating the session ID itself; the idea is that we need to build the token off of something that isn't the session ID. However, the fact that previous patches used $session_id as the variable name definitely made that unclear... That's fixed in the attached patch.

5. Eh, it also occurs to me that if the patch in #159 can break non-HTTPS sites but still passes tests, we're probably missing some important test coverage... I'll see if I can add something for that too.

   This actually seems like it might be covered already (at least in Drupal 8). I'm uploading a version that contains the incorrect fix in form.inc to test that it already will fail without having to add any more tests than what we already added.

So this patch grants the last unencrypted session token access to all the data of the last encrypted session? So totally Firesheepable. I suppose that backwards compatibility needs to be respected... but the securepages model of "some pages are secure, some are not" is utterly wrong-headed. Sessions, not pages, should be encrypted.

@David_Rothstein What do you think about #167?

It doesn't really matter in my opinion if a hacker can intercept a HTTP cookie and use it to access the HTTPS site, that isn't really the problem.

@alexp999 which is to say, you as a site admin, don't mind that once a user has entered their username and password with the little padlock, that someone sharing their coffeeshop wifi can then cruise into their account and change their password and update their profile?

The main feature behind mixed mode is that you may be able to hijack a non-ssl cookie, but you cannot use this session data to get access to SSL secured sections of your site. Normally you don't transfer personal data on http, but when you switch to SSL (on a newsletter subscription page as example) you get a new session and you will enter your data there. Once you leave the subscription page you will be switched back to the non-ssl session and your SSL session is still secure.

This is all important for proxies, tablets, mobile phones and internet café. Someone may be able to jump back in browser history or multistep shopping cart's and gather your personal data in the used forms if you have not invalidated your session. This is all about privacy. It's also recommended to expire the SSL session on browser window close as I know. The SSL session should also calculated based on IP address to prevent session hijacks with other IPs. It's not allowed to grant access to this shopping cart with the non-ssl session id.

@alexp999 sorry I didn't mean to call you out. I'm also following this issue as a past user of securepages, someone who thought it was necessary but have started using a workaround (see my previous comment) that actually seems more secure with no obvious downside.

That said, I'm definitely entering a world of FUD so I don't want to hijack this thread with untested paranoia.

As @hass says it's all about privacy. A shopping cart block typically follows a user all around a site and may reveal all sorts of personal stuff about that user. It's not up to the site admin what should be "really" private. Securepages, with its emphasis on URLs (pages), ignores that.

The only known 100% secure way is encrypting *all* requests. All other variants may theoretically lead to troubles and hijacking. This is the reason why Google, Facebook and some others enabled SSL by default. So if you have an SSL accelerator in front of your box, it could be seen as a recommendation to enable SSL on all pages, not only a few pages like a mixed mode environment. If you have low budget servers you may not have the horse power to run all URLs via SSL encryption. SSL slow down page loading... all OT here.

Not quite sure why my post came up with all those tags, I didn't set or change any..... :S

I guess I crossposted earlier...

So basically we could agree that there may be use cases where you want to use mixed mode just to provide a minimal level of security to protect the data being transferred as an alternative to not use SSL at all. There is no reason for Drupal not to support this, right? This does not prevent anyone to enforce SSL globally.

Just to chime in, my use case is the exact same as @jazzdrive3 in #181 above. Anonymous users never hit https (for performance sake) but of course as a Commerce site we require it for handling sensitive customer data.

The use case of data from the anonymous insecure session being migrated to the secure session actually should already work at present. So I'm not sure why it doesn't work w/ Commerce.

There is logic in _drupal_session_read() which, on the HTTPS site, if no secure session is found, checks the sessions table for an anonymous session with the non-HTTPS-only cookie. Any session data found there (e.g. shopping cart) is read into the session - and will be included in the new secure session which is saved.

If you put this in your settings.php and visit the HTTP site followed by the HTTPS site, you should see that the secure session ends up with both the data from the insecure session and the secure session (you have to look in the sessions db table to see the session data):

krlucas: I think your analysis is overlooking the fact that mixed mode is intended to be combined with forced HTTPS redirects to "important" pages (where important is defined by the site builder). An attacker can hijack the insecure half of the mixed session, but not the secure half.

repeating my comment from #11:

As I see it using mixed-mode in the first place means being willing to accept some compromises and also taking responsibility for configuring your modules wisely. I do share your general skepticism about mixed-mode: with modern CPUs, it's a compromise that's becoming less necessary, and with SSL-stripping one that's less effective. Nonetheless this is a use-case that has been possible in the past and still has a place in the ecosystem.