I need to change the "secure" and "httpOnly" values of the cookies, as I am getting a vulnerability error "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute".
I have tried from the settings.php using the following code:
ini_set('session.cookie_secure', 1);
However it didn't work, I also tried with some modules but it didn't work either.
| Comment | File | Size | Author |
|---|---|---|---|
| #22 | 3332352-cookie-attributes-01.patch | 147.31 KB | atowl |
| #19 | eu_cookie_compliance-secure-cookie-3332352-18.patch | 74.54 KB | alex.bukach |
| #9 | Screenshot 2024-07-18 at 15.45.45.png | 100.05 KB | emircan erkul |
Show commandsStart within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #2
lejuanchis commentedComment #3
semapo82 commentedHi, we have the same problem, so I'll work in a solution to add this secure flag from the config form to make it optional.
Comment #4
semapo82 commentedSorry, but we can't update the module to the last version right now and I've to work in a local patch.
Comment #5
svenryen commentedI'll assume this report concerns 8.x-1.x.
Comment #6
Elzan commentedDoes anyone have an idea about this issue? i use drupal 10 and the module eu cookie compliance
Comment #9
emircan erkul commentedMy PR includes secure attribute options for both. We can not make httpOnly true because eu_cookie_compliance uses those cookies via JS.
Comment #11
alex.bukach commentedProvided patch for 8.x-1.24 based on MR!142.
Comment #12
adamcadot commentedThe patch does not apply to 8.x-1.25. Needs reroll.
Comment #14
prem suthar commentedComment #15
pilot3 commentedhi @prem suthar, I updated the module to 1.25, and tried to apply the patch with your new commit. The patch can't apply.
Comment #16
pilot3 commentedComment #17
kruser commentedthis won't apply to the security release either - 1.26.0
Comment #19
alex.bukach commentedCreated MR!160 that re-rolls patch #11 against HEAD (still based on the idea of MR!142). Here's the respective patch.
Comment #21
atowl commentedThanks @alex.bukach for the re-roll, i've made some corrections since the setCookies wasn't working.
I removed the version option, as this seems deprecated in modern times, feel free to correct me.
When set in the configuration, the Secure flag will now be set in the cookie.
I'm just wondering if someone happens to untick the config option for Secure, should the cookie consent pop up again?
Also - haven't done anything about httpOnly, should we be checking headers? i'm not sure if we can? Or should it be an option that is set by default and we unset it if not needed?
i'll leave this in needs review, if the community could test, and i'll look at merging this for the next release.
Thanks!
Comment #22
atowl commentedI've re-rolled the MR160 to be up to date with the main branch,
also attached a patch for those following.
if this is acceptable we can look at merging this into the next release