[tor-bugs] #10428 [EFF-HTTPS Everywhere]: Visiting http://awards.tweakers.net logs you out on tweakers.net
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Dec 18 14:53:07 UTC 2013
#10428: Visiting http://awards.tweakers.net logs you out on tweakers.net
----------------------------------+---------------------
Reporter: cypherpunks | Owner: pde
Type: defect | Status: new
Priority: normal | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: httpse-ruleset-bug | Actual Points:
Parent ID: | Points:
----------------------------------+---------------------
The ruleset for *.tweakers.net doesn't enforce https for the subdomain
awards.tweakers.net. Combined with the securecookie rule this causes the
session-id cookie to be overwritten with a new one for a not-logged-in
session.
It probably is best to just be less specific wrt subdomains:
<rule from="^http://([a-z]+\.)?tweakers\.net/"
to="https://$1tweakers.net/" />
Also the exclusion rule for crossdomain.xml might not be necessary
anymore, but I haven't checked that yet.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10428>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list