Closed Bug 449983 Opened 17 years ago Closed 17 years ago

Cookies should be created as SSL-only

Tracking

(Not tracked)

Status:

VERIFIED DUPLICATE of bug 449974

People

(Reporter: morgamic, Assigned: morgamic)

Details

Michael Morgan [:morgamic]

Assignee

Description

•

17 years ago

We don't have the secure flag on our AMO cookies, which means that if someone did a man-in-the-middle attack they could steal AMO sessions. Most AMO traffic that is automated uses https:// explicitly, but when people type in the domain it has to redirect from http->https. That scenario is the one of concern.

Michael Morgan [:morgamic]

Assignee

Comment 1

•

17 years ago

We need to: * patch cookie creation to create cookies with the secure bit * nuke all existing AMO sessions We could also consider: * disabling http->https redirects

Michael Morgan [:morgamic]

Assignee

Updated

•

17 years ago

Assignee: nobody → morgamic

Michael Morgan [:morgamic]

Assignee

Updated

•

17 years ago

Status: NEW → RESOLVED

Closed: 17 years ago

Resolution: --- → DUPLICATE

Stephen Donner [:stephend] Not actively reading bugmail

Comment 3

•

16 years ago

Verified dup

Status: RESOLVED → VERIFIED

Jesse Ruderman

Updated

•

16 years ago

Group: client-services-security

Nobody; OK to take it and work on it

Updated

•

9 years ago

Product: addons.mozilla.org → addons.mozilla.org Graveyard

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Cookies should be created as SSL-only

Categories

(addons.mozilla.org Graveyard :: Administration, defect)

Tracking

(Not tracked)

People

(Reporter: morgamic, Assigned: morgamic)

References

Details

Crash Data

Security

(public)

User Story

Description

Comment 1

Updated

Updated

Comment 3

Updated

Updated