HomePhabricator
Diffusion MediaWiki b53bc2667aa9

In the web installer, use secure session cookies
b53bc2667aa9Unpublished
Actions

Unpublished Commit · Learn More

  • Publishing Disabled: All publishing is disabled for this repository.
  • Not On Permanent Ref: This commit is not an ancestor of any permanent ref.

Description

In the web installer, use secure session cookies

When starting a session when the detected protocol is HTTPS, use
cookie_secure=1 so that the session cookie has the secure attribute.

Without the secure attribute, a CSRF attack could be used to send
cookies over an insecure channel, leaking the session ID to an attacker
with network access.

Change-Id: I1a4b612425a16da1a7a8fd855f376a377b0b48d7
(cherry picked from commit 9ba8f8d12475a37848eaadae0effae8d956e3342)

Details

Provenance
tstarlingAuthored on Jun 25 2020, 6:03 AM
ReedyCommitted on Jun 25 2020, 1:32 PM
Parents
rMWe080919a8b0f: Start 1.34.3
Branches
Unknown
Tags
Unknown
ChangeId
I1a4b612425a16da1a7a8fd855f376a377b0b48d7

Event Timeline

Changes (1)

PathSize
includes/
installer/

rMWb53bc2667aa9

View Options

includes/installer/WebInstaller.php

Loading...
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL