Issue metadata
Sign in to add a comment
|
Session not working anymore after switch from secure (self signed) HTTPS Session to HTTP
Reported by
bluti...@googlemail.com,
Aug 22 2017
|
||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Steps to reproduce the problem:
You can use a file which is auto prepended to each php file which looks like:
if( (isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == 443) || (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') )
{
ini_set('session.cookie_secure', '1');
}
1. open HTTPS of the url
2. check secure cookie (is set)
3. check session values by set and get to the session id (are set)
4. directly switch to the HTTP version of the URL
5. check secure cookie (is not set) => correct
6. check session values by set and get to the session id => session values fail to set to new Session ID. PHP generates for each Ajax call seperate Sessions (session not kept).
7. enter HTTPS again, SESSION still accepted. But the session shall be dropped if switching from secure HTTPS to non secure HTTP in my opionion.
OR
[Set secure session cookie]
1. Loaded https://www.example.com/
2. Opened dev tools and set session cookie 'foo=bar; secure' by js script on Console.
3. Confirmed session cookie 'foo=bar' which had stored in db.
[Set session cookie]
1. Loaded http://www.example.com/
2. Opened dev tools and set session cookie 'foo=bar2' by js script on Console.
3. Confirmed session cookie 'foo=bar2' which had stored in db.
[Switched to https]
1. Loaded https://www.example.com/
2. Opened Storage to confirm 'foo=bar' still stored in db.
3. 'foo=bar' didn't be removed.
What is the expected behavior?
HTTP session shall be valid new one after swithcing from HTTPS.
What went wrong?
Secure Cookie needs to be deleted after switch to HTTPS.
Session must work correct afterwards
Did this work before? Yes 57.0.2987.133
Does this work in other browsers? N/A
Chrome version: 60.0.3112.101 (Offizieller Build) (64-Bit) (Kohorte: Stable) Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: 24.0.0.186
,
Aug 22 2017
Chrome won't overwrite a secure cookie with an insecure one. Unless I'm missing something, this is expected behavior (See https://tools.ietf.org/html/draft-west-leave-secure-cookies-alone-05).
,
Aug 22 2017
mmenke@ is correct: Chrome does not let a non-secure server overwrite a secure cookie, so that's behaving as expected.
,
Aug 22 2017
The issue is that if you switch from a HTTP to HTTPS (secure Cookie) and switch back to HTTP the session will Not Work anymore. But if you go back again to HTTPS the HTTPS Session works. Issue can be reproduced using PHP secure cookies ini set. Am 22.08.2017 22:03 schrieb "mk… via monorail" < monorail+v2.189620131@chromium.org>:
,
Aug 23 2017
If you have a system which is using multiple ajax calls and a file which gets always called at the requests with the following content:
// HTTPONLY is set in php.ini
if( (isset($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == 443) || (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') )
{
ini_set('session.cookie_secure', '1');
}
The issue occurrs.
What I see so far is that if you start using the Web Interface over HTTP , then switch to HTTPS and then switch back to HTTP.
Each AJAX call to the PHP returns in a new PHP session (php session folder fills up).
So it seems it always drops the sessions.
But if I switch back to HTTPS all works again with keeping the session active.
=> not able to get HTTP running again, only a browser restart solves it.
In version 57.0.2987.133 it worked as expected.
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by rch@chromium.org
, Aug 22 2017Labels: Needs-Feedback