[aur-general] Securing the AUR website

Pierre Schmitz pierre at archlinux.de
Fri Aug 5 17:36:06 EDT 2011

Hi TUs,

the AUR still handles user logins and sessions in a insecure way that
can easily be exploited. The last approach to use https by default was
denied a long time ago. But I hope you guys will reconsider this

To prevent session hijacking, mtm attacks or whatnot I'd recommend the
* Redirect all http traffic to https by default
* Set session.cookie_secure = 1 in your php.ini
* If you use setcookie() make sure to set the secure parameter to true
* If you don't require any javascript to access your session data it's
also a good idea to set all cookie to httponly (again via php.ini and if
you use setcookie() directly)

The optional https access as we have now wont work here. Even if you
never forget to add the s to http when you login session data is also
transferred via http. So once you click a non-https link to the AUR it
would be possible for an attacker to hijack your session.



Pierre Schmitz, https://users.archlinux.de/~pierre

More information about the aur-general mailing list