FIX: Non-HttpOnly Session Cookies Identified

3 months 2 weeks ago #182734 by eyeballs
Hi Everyone!

The second issue I am seeing after fresh install of limesurvey on ubuntu 18.04 and Apache2 is: Non-HttpOnly Session Cookies Identified.


The website software running on this server appears to be setting session
cookies without the HttpOnly flag set. This means the session identifier
information in these cookies is susceptible to attacks such as Cross-site Scripting
which may allow attackers to read this cookie's data.

CVSSv2: AV:N/AC:L/Au:N/C:N/I:P/A:N (5.00)

Service: apache:http_server


Cookie HttpOnly Flag: false


Cookie Value:

URL: https://xxxxxxxxxxxxx/index.php/admin/authentication/sa/forgotpassword

Contact the vendor of this web application and request the HttpOnly flag be set on session cookies.

How is this done?

Please Log in or Create an account to join the conversation.

LimeSurvey Partners
3 months 2 weeks ago #182741 by DenisChenu
You can update it in config.php

Can you report the issue ? Then we made it by default (i don't see why we don't made it currently)

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand .
An error happen ? Before make a new topic : remind the Debug mode .
The following user(s) said Thank You: cdorin

Please Log in or Create an account to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now
Join our Newsletter!