[tor-bugs] #2098 [Trac]: Tor Trac sets cookies over HTTPS that can be sent over cleartext HTTP
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Thu Nov 18 20:53:04 UTC 2010
#2098: Tor Trac sets cookies over HTTPS that can be sent over cleartext HTTP
----------------------+-----------------------------------------------------
Reporter: rransom | Owner: erinn
Type: defect | Status: assigned
Priority: critical | Milestone:
Component: Trac | Version:
Keywords: | Parent:
----------------------+-----------------------------------------------------
Comment(by dkg):
well, what do you know. `trac_session` (before authentication) and
`trac_auth` (after authentication) and `trac_form_token` (any time) all
lack the secure flag when i view them in my alternate browser (arora). I
must have some other kind of filtering going on in my firefox instance
that auto-sets that flag for me. is such a feature enabled in the latest
0.3.0 build of https-everywhere?
Anyway, yes, i agree with rransom that this is still a problem.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2098#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list