GNU Mailman

Using secure cookies when logging in via SSL

Asked by mark burdett

I would like to know if it's possible to configure mailman to set "secure" cookies when users log in via HTTPS. The secure cookie flag prevents cookies created at https://example.org/mailman/admin/foo from being sent over the wire unencrypted when the same user later visits http://example.org/mailman/listinfo/foo. Sending a cookie via HTTP, whether by tricking a user into visiting an HTTP URL on the same host and path, or when a user simply visits such a URL intentionally, can allow an eavesdropper or man-in-the-middle to hijack the authenticated session.

At http://mail.python.org/pipermail/mailman-developers/2003-June/015308.html is looks like it may be necessary to hack mailman by adding c[key]['secure'] = 'yes'

Question information

Language:
English Edit question
Status:
Solved
For:
GNU Mailman Edit question
Assignee:
No assignee Edit question
Solved by:
Mark Sapiro
Solved:
Last query:
Last reply:
Revision history for this message
Best Mark Sapiro (msapiro) said : 		#1

I think you've answered your own question. There is no configuration option/setting for this - you have to hack the code as you indicate.

Revision history for this message
mark burdett (mfb) said : 		#2

Thanks. It would be nice to have a config option to generate secure cookies if the connection is SSL..

Revision history for this message
mark burdett (mfb) said : 		#3

Thanks Mark Sapiro, that solved my question.

Revision history for this message
dkg (dkg0) said : 		#4

I've created a (very simple) patch that makes this a site-wide configuration option. It is posted at http://bugs.debian.org/606269