Hey there, hoping for some clarification on the following. I'm going through the various security checks from the Reports menu. I'd like to enable the Secure Cookies Only and HTTP Cookies feature in Apache and Moodle, as this was being flagged as not being enabled for us.
We're running Moodle 4.1.3 on Ubuntu 20.04.6 LTS, with PHP v7.4.3 and Apache 2.4.57, using https.
When I was first looking into this, the method I found suggested I add the following line to /etc/apache2/apache2.conf
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
But Moodle wouldn't start up at all after restarting Apache, so I reverted that change.
Now I see there are settings for both under Admin > HTTP Security. So, some questions:
1) Not sure--Is it still necessary to adjust the setting in Apache2.conf in addition to toggling those settings in Site Admin? (hopefully not, given what happened)
2) The description for 'Only http cookies' says 'This is not supported in all browsers and it may not be fully compatible with current code' and by default it is *not* enabled.
I've enabled both on my test server and things seem OK so far, but I'm trying to get wider feedback on the 'only http cookies', i.e. 'not fully compatible with current code'. Is that still the case? Dependent on the types of plugins one would have? It says this enables a new PHP 5.2.0 feature, so....assuming that's not really new these days.
Thanks,
Rick
Hi Rick,
Funny you should mention that setting, it's something I was in a discussion about last week relating to some security best practice improvements and tweaks. There's very little information about exactly what that "not fully compatible with current code" text is referring to, so I am keen for us to update the description for Moodle 4.3, once we have a better idea of what may be impacted. I suspect that it relates to certain functionality that might interact with external systems (possibly LTI, for example), but have not had an opportunity to investigate further yet. If anyone else responds to this discussion with some more definitive answers, that would actually also help us with our research too!
For your first question - I don't think you have to do it in both places. You should be able to confirm that by turning on the settings in Moodle and checking the headers are being included when you load a page in your browser (you can check that from your browser's developer tools).
Funny you should mention that setting, it's something I was in a discussion about last week relating to some security best practice improvements and tweaks. There's very little information about exactly what that "not fully compatible with current code" text is referring to, so I am keen for us to update the description for Moodle 4.3, once we have a better idea of what may be impacted. I suspect that it relates to certain functionality that might interact with external systems (possibly LTI, for example), but have not had an opportunity to investigate further yet. If anyone else responds to this discussion with some more definitive answers, that would actually also help us with our research too!
For your first question - I don't think you have to do it in both places. You should be able to confirm that by turning on the settings in Moodle and checking the headers are being included when you load a page in your browser (you can check that from your browser's developer tools).
Thanks Michael. As it is, I enabled both settings a week ago on our production server, and there's been no complaints from our staff and students, so I will leave them enabled.