dépôts / lhc / web / wiklou.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: b5f555a) | patch
In the web installer, use secure session cookies
authorTim Starling <tstarling@wikimedia.org>
Thu, 25 Jun 2020 06:03:35 +0000 (16:03 +1000)
committerReedy <reedy@wikimedia.org>
Thu, 25 Jun 2020 13:32:22 +0000 (13:32 +0000)
commitb10c41a2947eea81a1b323952c928cda5263f837
tree3ba0d9898cd3b96bbac7f7d930e991133fd1faf2tree | snapshot
parentb5f555a3c1b52b6f7387651eb5a04807124f7b39commit | diff
In the web installer, use secure session cookies

When starting a session when the detected protocol is HTTPS, use
cookie_secure=1 so that the session cookie has the secure attribute.

Without the secure attribute, a CSRF attack could be used to send
cookies over an insecure channel, leaking the session ID to an attacker
with network access.

Change-Id: I1a4b612425a16da1a7a8fd855f376a377b0b48d7
(cherry picked from commit 9ba8f8d12475a37848eaadae0effae8d956e3342)
includes/installer/WebInstaller.php diff | blob | history
Wiklou, le Wiki du Wiklou