Comments on: Is InformationWeek right? Are most all Drupal sites insecure? http://robinmonks.com/2008/08/21/is-informationweek-right-are-most-all-drupal-sites-insecure/ Only the interesting stuff. Fri, 19 Mar 2010 18:00:29 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: In the eyes of Robin Monks » Security theater #1 - Using SSL for login | Heine http://robinmonks.com/2008/08/21/is-informationweek-right-are-most-all-drupal-sites-insecure/comment-page-1/#comment-1365 In the eyes of Robin Monks » Security theater #1 - Using SSL for login | Heine Fri, 22 Aug 2008 16:03:54 +0000 http://robinmonks.com/?p=85#comment-1365 [...] from Drupal IRC was kind enough to explain the SSL issues that I mentioned here and here in much greater detail. Head to his blog for the full article. Thanks Heine! Image via [...] [...] from Drupal IRC was kind enough to explain the SSL issues that I mentioned here and here in much greater detail. Head to his blog for the full article. Thanks Heine! Image via [...]

]]> By: In the eyes of Robin Monks » Are HTTPS Drupal sites insecure? Not anymore! http://robinmonks.com/2008/08/21/is-informationweek-right-are-most-all-drupal-sites-insecure/comment-page-1/#comment-1363 In the eyes of Robin Monks » Are HTTPS Drupal sites insecure? Not anymore! Fri, 22 Aug 2008 12:13:11 +0000 http://robinmonks.com/?p=85#comment-1363 [...] Facebook, Gmail, addons.mozilla.org, most Drupal sites, and many online merchants and banks. ”In the eyes of Robin Monks, Aug [...] [...] Facebook, Gmail, addons.mozilla.org, most Drupal sites, and many online merchants and banks. ”In the eyes of Robin Monks, Aug [...]

]]> By: Christefano http://robinmonks.com/2008/08/21/is-informationweek-right-are-most-all-drupal-sites-insecure/comment-page-1/#comment-1362 Christefano Fri, 22 Aug 2008 09:41:44 +0000 http://robinmonks.com/?p=85#comment-1362 There's a patch that just landed in core that addresses this particular issue in Drupal: http://drupal.org/node/170310 Mike Perry probably mentioned Drupal since that's what his website is running. There’s a patch that just landed in core that addresses this particular issue in Drupal:

http://drupal.org/node/170310

Mike Perry probably mentioned Drupal since that’s what his website is running.

]]> By: John Wilkins http://robinmonks.com/2008/08/21/is-informationweek-right-are-most-all-drupal-sites-insecure/comment-page-1/#comment-1361 John Wilkins Fri, 22 Aug 2008 02:22:57 +0000 http://robinmonks.com/?p=85#comment-1361 We're way ahead of you! :-) http://drupal.org/node/170310 addresses the SSL-based session cookie issue. Dries committed it 3 days ago to Drupal 7 and Drupal 6. And Drupal 5 will be patched shortly. Here's the comments I wrote for the patch: “To prevent session cookies from being hijacked, a user can configure the SSL version of their website to only transfer session cookies via SSL by using PHP's session.cookie_secure setting. The browser will then use two separate session cookies for the HTTPS and HTTP versions of the site.” And the HTTPS session cookie will be protected from hijacking. You'll still need to configure HP's session.cookie_secure setting on the SSL version of the website, as Drupal doesn't enforce that. We’re way ahead of you! :-)

http://drupal.org/node/170310 addresses the SSL-based session cookie issue. Dries committed it 3 days ago to Drupal 7 and Drupal 6. And Drupal 5 will be patched shortly.

Here’s the comments I wrote for the patch:

“To prevent session cookies from being hijacked, a user can configure the SSL version of their website to only transfer session cookies via SSL by using PHP’s session.cookie_secure setting. The browser will then use two separate session cookies for the HTTPS and HTTP versions of the site.” And the HTTPS session cookie will be protected from hijacking.

You’ll still need to configure HP’s session.cookie_secure setting on the SSL version of the website, as Drupal doesn’t enforce that.

]]>