"Force cookies to be secure" is grayed out

tfs · November 30, 2010, 01:03:56 AM

My server has HTTPS available, and I've got SMF paths setup to run via HTTPS. It seems to be working fine. But when I go to "Admin/Configuration/Server Settings/Cookies and Sessions" the option for "Force cookies to be secure" is grayed out and unavailable.

I can't seem to figure out what is preventing that check box from being available.

SMF 2.0 RC4

tfs · December 01, 2010, 10:53:29 AM

BTTT

青山素子 · December 01, 2010, 11:17:17 AM

Hold horses, not everyone looks in this board as there are usually issues with higher technical knowledge required posted here.

If it's part of the SMF core, and if I get time (we'll see on that one...), I'll poke the code and see what the conditions are. You are welcome to do the same as the answer should show itself there.

tfs · December 01, 2010, 11:45:32 AM

Thanks. I didn't want to bump it, as I know it can be interpreted as being inconsiderate to the volunteer spirit. I just figured that nobody who saw the question knew the answer off-hand, and I just couldn't resist. I'm afraid I'm not much help with PHP source code analysis.

I have verified that even though I'm connected via HTTPS for all forum pages, if I look at the properties of the cookie in Firefox (Tools/Options/Privacy/Show Cookies) it has a line that says...

Send for: Any type of connection

I've deleted the cookie and reconnected with the same results.

tfs · December 02, 2010, 04:26:49 PM

Some FUP information.

My phpinfo() had indicated session.cookie_secure was Off. Via the php.ini file I changed that to On. Still no change in SMF. The check box is grayed out.

If someone has an example phpinfo() from a server where this works I could do a comparison to see if it's a server issue that's detectable via phpinfo().

flapjack · December 02, 2010, 04:39:10 PM

when you connect via ssl then automatically your cookies are secure, no?

tfs · December 02, 2010, 06:24:40 PM

Quote from: flapjack on December 02, 2010, 04:39:10 PM
when you connect via ssl then automatically your cookies are secure, no?

Not automatically. There's a setting within a cookie that tells it that it's only allowed to be sent via https/ssl. Even if the connection is https, and all of the traffic is encrypted, it's possible for the cookie to leak the session info via a non-encrypted protocol. Since the release of Firesheep, hijacking that session info is trivial.

In FireFox you can see the status of a cookie under (Tools/Options/Privacy/Show Cookies). Locate the cookie in question and if it says (Send for: Any type of connection) then it can leak. It should say (Encrypted connections only). To get it to be for encrypted connections only in SMF you need to check that checkbox in the settings (noted above). But my checkbox is grayed out.

flapjack · December 02, 2010, 06:32:16 PM

thanks, everyday I learn something new

tfs · December 02, 2010, 07:56:24 PM

It looks like SleePy over at www.simpledesk.net figured this one out in THIS thread. It's a bug in SMF 2.0 RC4.

In ManageServer.php

Change this:

Code Select

array('secureCookies', $txt['secureCookies'], 'db', 'check', false, 'secureCookies',  'disabled' => !isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on'),

To this:

Code Select

array('secureCookies', $txt['secureCookies'], 'db', 'check', false, 'secureCookies',  'disabled' => !isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != '1'),

SleePy said he'd make the change in SMF's code to repair the issue for the next release.

Now the checkbox for SSL cookies is available, and after I selected it my two generated cookies are now both (Encrypted connections only). Hot dang!

Now I can log into the forum from an open wifi without getting punked.

debiwebi · April 01, 2016, 08:36:54 PM

Quote from: tfs on November 30, 2010, 01:03:56 AM
My server has HTTPS available, and I've got SMF paths setup to run via HTTPS. It seems to be working fine. But when I go to "Admin/Configuration/Server Settings/Cookies and Sessions" the option for "Force cookies to be secure" is grayed out and unavailable.

I can't seem to figure out what is preventing that check box from being available.

I know this is a really, really old topic, and I'm not even sure if this is important for my purposes. I'm testing free SSL on a site I'd originally set up for something else. It mostly seems to be working, but there are still some security issues and when I found this topic I wasn't sure if this could be a part of it.

I'm using 2.0.11, have all the paths set for the https, but yet the "force cookies" box is greyed out. I'm sure the old bug has long been fixed, so why is the force cookies box still greyed out? Is there some other setting I need to change first? I have no mods installed.

https://smf-friends.cf/index.php

News:

"Force cookies to be secure" is grayed out