|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (24 fixed, 18 open).
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (25 fixed, 17 open).
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -1871,6 +1871,25 @@
|
|
|
these at the browser and prevents subdomain cookie shadowing.
|
|
|
Free defence-in-depth.
|
|
|
- **Severity: 1**
|
|
|
+- **Status:** Fixed. New `SessionManager::cookieName()` returns
|
|
|
+ `__Host-irdb_session` when `secureCookie` is true (production /
|
|
|
+ HTTPS) and `irdb_session` otherwise. `startSession()` now calls
|
|
|
+ `session_name($this->cookieName())` so the response's
|
|
|
+ `Set-Cookie` header carries the prefixed name in production. The
|
|
|
+ prefix is a browser-enforced contract: cookies named `__Host-…`
|
|
|
+ are REJECTED unless they have `Secure`, `Path=/` exactly, and no
|
|
|
+ `Domain` attribute (host-only) — which is exactly the shape the
|
|
|
+ existing `session_set_cookie_params` already produces, so the
|
|
|
+ rename is a free defence-in-depth tightening that prevents a
|
|
|
+ parent-domain or subdomain page from shadowing the session
|
|
|
+ cookie. Dev mode (`APP_ENV=development`, `secureCookie=false`,
|
|
|
+ HTTP) keeps the unprefixed name because browsers reject `__Host-`
|
|
|
+ over plain HTTP. Existing rolling sessions get implicitly
|
|
|
+ invalidated on deploy (the cookie name changes), so users
|
|
|
+ re-authenticate; acceptable cost for the security improvement.
|
|
|
+ Regression tests in `ui/tests/Unit/Auth/SessionManagerTest.php`:
|
|
|
+ `testCookieNameUsesHostPrefixWhenSecure` and
|
|
|
+ `testCookieNameSkipsHostPrefixInDev`.
|
|
|
|
|
|
### F58 — `/api/docs` CSP allows external CDN without SRI
|
|
|
- **File:** `api/docker/Caddyfile:41`
|
chiappa