Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CKAN session cookie is not marked Secure #2138

Closed
adborden opened this issue Sep 15, 2020 · 6 comments
Closed

CKAN session cookie is not marked Secure #2138

adborden opened this issue Sep 15, 2020 · 6 comments
Assignees
@jbrown-xentity
Labels
bug Software defect or bug component/catalog Related to catalog component playbooks/roles component/inventory Inventory playbooks/roles

Comments

@adborden
Copy link
Contributor

who.secure = True in production.ini for Inventory and Catalog, but I'm seeing the cookies not marked as Secure within the browser.

Screen Shot 2020-09-14 at 5 09 38 PM

How to reproduce

  1. Login to https://inventory.data.gov/user/login
  2. Open developer tools (Application tab in Chrome) to view the cookies.

Expected behavior

Session cookie is marked Secure.

Actual behavior

Session cookie is not marked Secure.
@adborden adborden added bug Software defect or bug component/catalog Related to catalog component playbooks/roles component/inventory Inventory playbooks/roles labels Sep 15, 2020
@adborden
Copy link
Contributor Author

I wonder if this is related to apache2 listening on HTTP instead of HTTPS.

@FuhuXia
Copy link
Member

FuhuXia commented Jul 22, 2024

It is resolved on CKAN 2.9 while the cookie auth_tkt is set secure, the non relevant cookie ckan is left unsecure. Details in the slack discussion.

image

But after ckan 2.10, cookie auth_tkt is decommissioned, ckan is the only cookie now. We need to secure it.

@FuhuXia FuhuXia reopened this Jul 22, 2024
@Bagesary Bagesary moved this to 📔 Product Backlog in data.gov team board Jul 30, 2024
@Bagesary Bagesary moved this from 📔 Product Backlog to 🏗 In Progress [8] in data.gov team board Jul 30, 2024
This was referenced Jul 30, 2024
Merged
Merged
@jbrown-xentity
Copy link
Contributor

I believe catalog will only affect us if login problems persist, so I think that is the safest test. Then we can merge inventory

@jbrown-xentity
Copy link
Contributor

Inventory and Catalog are both updated, and the cookie is marked as secure. This should be able to be marked as complete.

Image

@jbrown-xentity jbrown-xentity moved this from 👀 Needs Review [2] to ✔ Done in data.gov team board Aug 5, 2024
@Bagesary
Copy link

Bagesary commented Aug 9, 2024

Fuhu will do a review and then bags can close

@FuhuXia
Copy link
Member

FuhuXia commented Aug 9, 2024

Verified ckan cookie is secure after the fix.

@FuhuXia FuhuXia closed this as completed Aug 9, 2024
@Bagesary Bagesary moved this from ✔ Done to 🗄 Closed in data.gov team board Aug 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jbrown-xentity jbrown-xentity

Labels
bug Software defect or bug component/catalog Related to catalog component playbooks/roles component/inventory Inventory playbooks/roles
Projects
data.gov team board
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@adborden @FuhuXia @jbrown-xentity @Bagesary