Top Menu

Jump to content
Home
    Modules
      • Projects
      • Activity
      • Work packages
      • Gantt charts
      • Calendars
      • Team planners
      • Boards
      • News
    • Getting started
    • Introduction video
      Welcome to OpenProject Community
      Get a quick overview of project management and team collaboration with OpenProject. You can restart this video from the help menu.

    • Help and support
    • Upgrade to Enterprise edition
    • User guides
    • Videos
    • Shortcuts
    • Community forum
    • Enterprise support

    • Additional resources
    • Data privacy and security policy
    • Digital accessibility (DE)
    • OpenProject website
    • Security alerts / Newsletter
    • OpenProject blog
    • Release notes
    • Report a bug
    • Development roadmap
    • Add and edit translations
    • API documentation
  • Sign in
      Forgot your password?

      or sign in with your existing account

      Google

Side Menu

  • Overview
  • Activity
    Activity
  • Roadmap
  • Work packages
    Work packages
  • Gantt charts
    Gantt charts
  • Calendars
    Calendars
  • Team planners
    Team planners
  • Boards
    Boards
  • News
  • Forums

Content

General discussion
  1. OpenProject
  2. Forums
  3. General discussion
  4. SecureFlag issue

SecureFlag issue

Added by Daryl du Plessis almost 7 years ago

Hi,

I recently had a security audit performed on our Open Project server installation and overall the security level is good except for the SecureFlag issue. This is where the cookie used to identify the user’s session “_open_project_session” is not flagged as secure and could allow for a MITM hijacking of the session. Is it possible for this to be changed or a mitigation of some sort (change to a setting)? See this link for more info:

https://www.owasp.org/index.php/SecureFlag


Replies (3)

RE: SecureFlag issue - Added by Oliver Günther almost 7 years ago

Hi Daryl,

thanks for the report. This is indeed an issue since the secure flag is not tied to the Setting.protocol option in OpenProject (configured automatically by the packaged installation when you set up SSL, for example).

You currently need to set the configuration rails_force_ssl. To do that in the packaged installation, run the following command:

openproject config:set OPENPROJECT_RAILS__FORCE__SSL=true

In a manual installation, export it as an ENV var instead (or set in config/configuration.yml).

This is tracked in to fix in 7.4.5 and make this flag the default whenever https is set.

Any chance you have a result of that audit that you can make available to us?

Best,
Oliver

RE: SecureFlag issue - Added by Daryl du Plessis almost 7 years ago

Hi Oliver,

Thanks for the quick response. I have made the recommended changes.

The assessment didn’t find anything else of significance with the OP server, so that is good. I will not be able to send you the details as it contains sensitive information regarding the internal network etc.

Regards
Daryl

RE: SecureFlag issue - Added by Oliver Günther almost 7 years ago

Hi Daryl,

thanks for the info and no worries regarding the details. We will release a 7.4.5 that will automatically set that flag for all users likely today.

Best,
Oliver

  • (1 - 3/3)
Loading...