Description
I'm using HTTPS for my moinmoin wiki. Apparently, cookies should then be marked as "secure" by the wiki:
If it's not done, a man-in-the-middle attack can easily steal the cookie despite the secure connection. The attacker can then access the wiki using the victim's user account.
Steps to reproduce
- Log in to a moinmoin wiki.
- Inspect the cookie you get. It is not marked as "secure".
Component selection
- general
Details
MoinMoin Version |
1.5.8-5.1ubuntu2 |
OS and Version |
Ubuntu 8.04 |
Python Version |
2.5.2-0ubuntu1 |
Server Setup |
Apache with HTTPS |
Server Details |
|
Language you are using the wiki in (set in the browser/UserPreferences) |
|
Workaround
Discussion
Moin 1.5 is not supported any more, but it will be fixed in the current version 1.7.
How to Properly Provide Mixed HTTP and HTTPS Support
Thanks for fixing the bug! Excellent response time 
Plan
- Priority:
- Assigned to:
Status: fixed by http://hg.moinmo.in/moin/1.7/rev/be4cefe2a219 (also merged into 1.8)