https://bugzilla.redhat.com/show_bug.cgi?id=464162

From Fedora bug. . .

Drupal, probably 5.10 and 6.4, does not set the secure flag for the session
cookie in an https session, which can cause the cookie to be sent in http
requests and make it easier for remote attackers to capture this cookie.

http://int21.de/cve/CVE-2008-3661-drupal.html
http://www.securityfocus.com/bid/31285

Comments

damien tournoud’s picture

damien tournoud commented
Priority: Critical » Normal
Status: Active » Closed (works as designed)

First, security issues should not be filled in the public issue tracker, following our security guidelines.

Second, we consider that this is a configuration problem. It's your responsibility to set session.cookie_secure in the SSL virtual host if you want an SSL-only website.