have an option to set the Secure flag for trac_session cookies
|Reported by:||Owned by:||Remy Blank|
|Severity:||normal||Keywords:||cookie secure security patch|
If you run trac entirely under HTTPS (e.g. at https://example.com/), there's no reason why you'd want the
trac_session cookie to be sent in the clear (e.g. if users point their browsers to http://example.com/ by accident). The solution to this is to be able to set the secure flag on the session cookie, which asks the browser to only transmit the cookie when access is made via TLS.
I realize that not everyone who runs trac under HTTPS wants this (they may prefer to have a session persist across both HTTP and HTTPS accesses), but for those of us who run trac permanently behind TLS, it is a shame that end user's web browsers will freely transmit their session identifier in the clear if a wrong address is typed into the address bar.
While sessions being tied to IP addresses is a mitigating factor here, it doesn't solve the most common case of cookie-sniffing, which is by a close peer on the LAN. In today's NAT'ed LANs it is much more likely that neighbors (i.e. office-mates, etc.) will share a public IP address. This makes the session re-usable by those most able to sniff the local network.
A simple setting in
trac.ini would be great.
If this is already an option, please let me know how! i've searched the documentation and the source code and couldn't sort it out.
Thanks again for all your work on trac.