Insecure cookie on redirect

[Black Tiger]

For starters.... Merry Christmas everybody!

I would like to have secure cookies, so I'm using the "Force secure" on the cookie. And I want the forums SSL only.
However, when testing my forums, I always get "The 'secure' flag is not set on this cookie. ".

As soon as I remove the .htaccess redirect, cookie is secured.

However, this same redirect I use with a couple of phpBB forums on the same and other servers, no issue there.
I also tried to use a second .htaccess in the /forum directory but that did not solve it either.

So I checked simplemachines.org and they don't have that issue because they are not using a redirect. The forums here are served in http and https, which I don't want.

Is there some fix for this? Or why turn the cookies insecure on SMF installations purely because of a redirect?

[Kindred]

I have no idea what you mean...

If you set your forum URLs to https and add the htaccess redirect, it should all work just fine. I have done so on 6 different forum sites with no issues such as you describe

[Chen Zhen]

I believe he is referring to web server security settings for ie. Apache, Nginx, IIS, etc.
This requires settings on the server level else .htaccess or web-config might be an option.

ie. Apache
.htaccess

Code Select Expand


Header set Set-Cookie HttpOnly;Secure


Black Tiger,
  Imo it would not be prudent for the SMF installation to automatically create a directives file or edit an existing one for obvious reasons.
I suppose they could create a page giving instruction or perhaps an option to create the file for you with some warnings (ie. overwriting/editing an existing .htaccess/web.config file).
Currently this is up to you to adjust your server settings for what you are referring.

[Black Tiger]

@Kindred: Maybe because you did not test them the way I did. Check them on http://securityheaders.io and you'll se what I'm talking about.
I don't mind the other things discovered there which I can fix myself, I just wondered about the cookie because the other forum software have them secure with redirect.

@Chen-Zen: I don't know exactly how phpBB for example is doing it, I only know that it working without any need to add  a "Set-Cookie Secure" in .htaccess. The only thing needed is the redirect to ssl.
So there is no real need for a forum software to overwrite a .htaccess or web.config file for a secure cookie as far as I can see.

However, if it can be fixed by adding the line to .htaccess then I will do it like that, thank you!

[Arantor]

It's perfectly possible to set the secure setting on cookies, except for historical reasons it doesn't exist in SMF. You need to modify the calls to setcookie except SMF rolled its own years ago...

[Black Tiger]

Oke that clears things a bit.
Thank you for the explanation!

[Black Tiger]

Hmmz... just discovered, if I used the code from Chen Zen, then users can't login or logout anymore.
It's causing a "Session verification failed. Please try logging out and back in again".

I'll try to figure that out later.

[Chen Zhen]

Yes that was for an older version of Apache.
For v2.4+, something like this may work for you:

Code Select Expand


Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure


[Black Tiger]

Thank you, I will try this later, found a page with some example, also to prevent double settings if already issues by application.
Howeve, it also says this:

Code Select Expand

The only real downside to this is if you need a cookie, either for HTTP requests, or for client side scripting then you shouldn't set these flags or this will break.
Wouldn't it break things then because don't we need the login cookie of SMF for HTTP requests?

[Chen Zhen]

Look into Header append which will add to current settings instead of replacing them.

[Black Tiger]

Ok will do that, thank you!