View Issue Details

IDProjectCategoryView StatusLast Update
0009533mantisbtsecuritypublic2008-10-18 18:32
Reporterjreese Assigned Tojreese  
Status closedResolutionfixed 
Product Version1.1.2 
Target Version1.1.3Fixed in Version1.1.3 
Summary0009533: Mantis should use secure sessions on https connections

Recently an issue with session cookies got some public attention:

(in german)

The problem is, if a site uses https only, but the user one time calls a http-url, the cookie is transferred unencrypted.

Mantis is vulnerable to that issue, the solution is to set the session cookies to be only used secure if the app is running on ssl. I've attached patches for both mantis 1.1 and 1.2.

As I'd consider this a security issue, I've assigned CVE-2008-3102 to it.

TagsNo tags attached.


related to 0009524 closedgrangeway Mantis should use secure sessions on https connections 




2008-08-13 09:00

reporter   ~0019143

Fix committed to SVN 1.1.x, r5511.