Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-33778

Need Security Features to support switching between SSL and non-SSL URLs.

    Details

    • Type: Feature Request
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None
    • Environment:
      In Trunk CE with Open SSL.

      Description

      ---- BEGIN ----
      This issue, If I understand it correctly:
      1, User has remember me cookies only for HTTPs channel (because he accessed a secured page as first and WebKeys.HTTPS_INITIAL = true)
      2, When user accesses a page in non-secured channel (http://localhost/private2), he get's a new JSESSIONID
      3, He is redirected to the secured login (with the same JSESSIONID), because company.security.auth.requires.https=true
      4, Here, based on Remember me cookies, this session is authenticated, because session.enable.phishing.protection=false
      The problem:
      5, Portal doesn't redirect back to the page user requested in step 2

      From the security perspective I see 3 problems here:
      A, after we fix step 5, the redirect will be into HTTP => attacker can force user to enter non-secured channel and steal the JSESSIONID
      B, session.enable.phishing.protection=false => session ID in step 2 is transmitted over HTTP and can be accessed by a MITM. In step 4 the sessionID is authenticated - no new session is created => attacker can now use it
      C, remember me cookies are based on WebKeys.HTTPS_INITIAL, so it's possible to set them for HTTP. I only need to force an admin to access a HTTP page before logging in, then remember me cookies will be available also for HTTP

      ---- END ----

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              support-lep@liferay.com SE Support
              Reporter:
              james.lefeu James Lefeu (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:

                  Packages

                  Version Package