Project

General

Profile

Bug(バグ) #1112

Session-cookie is not kept in mobile-phones by au and SoftBank if OpenPNE is running in partial-SSL mode (部分SSL機能を有効にしている際に、 au と SoftBank 端末でセッションクッキーが保持できない)

Added by Kousuke Ebihara over 9 years ago. Updated over 9 years ago.

Status:
Fixed(完了)
Priority:
Normal(通常)
Target version:
Start date:
2010-05-29
Due date:
% Done:

100%

3.6 で発生するか:
Unknown (未調査)
3.8 で発生するか:
Unknown (未調査)

Description

Overview (現象)

Session-cookie is not kept in mobile-phones by au and SoftBank if OpenPNE is running in partial-SSL mode

部分SSL機能を有効にしている際に、 au と SoftBank 端末でセッションクッキーが保持できない

Causes (原因)

A mobile phones by au and SoftBank don't share Cookies with HTTP and HTTPS.

au や SoftBank の携帯端末では HTTP と HTTPS 間で Cookie を共有していない。

au

A mobile phone that is provided by au, stores Cookie to EZ-Server. But when it try SSL connecting, a Cookie is stored to inside the mobile phone.

au の携帯端末は Cookie を EZ サーバに保存する。しかし、 SSL 通信時には端末内に Cookie を保存している。

See: http://www.au.kddi.com/ezfactory/tec/spec/cookie.html

SoftBank

A mobile phone that is provided by SoftBank, stores Cookies by the following ways:

SoftBank の携帯端末では以下のようにして Cookie を保存する。

Way to fix (修正内容)

  • SSL connection by a mobile phone of SoftBank must be via "https://secure.softbank.ne.jp" (SoftBank 端末で SSL アクセスする場合は必ず https://secure.softbank.ne.jp/ を経由するようにした)
  • If a mobile phone of SoftBank or au tries to HTTPS log-in, now redirect to "member/setSid" action to share session id with HTTP and HTTPS (HTTPS でのログインを SoftBank や au 端末が試みようとした場合、 HTTP と HTTPS 間でセッション ID を共有するために member/setSid アクションにリダイレクトするようにした)

Associated revisions

Revision 986e2335 (diff)
Added by Kousuke Ebihara over 9 years ago

added ability to share authentication informations with HTTP and HTTPS for Japanese mobile phone (fixes #1112)

Revision 46d87866 (diff)
Added by Kousuke Ebihara over 9 years ago

added a measures for secure.softbank.ne.jp (refs #1112)

Revision 1849103f (diff)
Added by Kousuke Ebihara over 9 years ago

made more secure sharing authentication informations with HTTP and HTTPS in mobile_frontend (refs #1112)

There is no way to realize SSL providable member/setSid action. It is not avoidable an attacker to eavesdrop a connection that contains a session ID, so it permits to being possible session-hijacking.
These changes are for encrypting that session ID in a query string, it makes difficult to imperson a victim

History

#1 Updated by Kousuke Ebihara over 9 years ago

  • Status changed from Accepted(着手) to Pending Review(レビュー待ち)
  • % Done changed from 0 to 50

更新履歴 986e233506ed28d3120222c2010ff75ca29780e1 で適用されました。

#2 Updated by Kousuke Ebihara over 9 years ago

  • Subject changed from Session-cookie is not kept in mobile-phones by au and SoftBank if OpenPNE is running in partial-SSL mode to Session-cookie is not kept in mobile-phones by au and SoftBank if OpenPNE is running in partial-SSL mode (部分SSL機能を有効にしている際に、 au と SoftBank 端末でセッションクッキーが保持できない)
  • Status changed from Pending Review(レビュー待ち) to Fixed(完了)
  • % Done changed from 50 to 100

Also available in: Atom PDF