FIX: Non-HttpOnly Session Cookies Identified

More
3 months 2 weeks ago #182734 by eyeballs
Hi Everyone!

The second issue I am seeing after fresh install of limesurvey on ubuntu 18.04 and Apache2 is: Non-HttpOnly Session Cookies Identified.

Specifically:

The website software running on this server appears to be setting session
cookies without the HttpOnly flag set. This means the session identifier
information in these cookies is susceptible to attacks such as Cross-site Scripting
which may allow attackers to read this cookie's data.

CVSSv2: AV:N/AC:L/Au:N/C:N/I:P/A:N (5.00)

Service: apache:http_server

Evidence:

Cookie HttpOnly Flag: false


Cookie Name: YII_CSRF_TOKEN

Cookie Value:
dXV3ZldSa3VkVTQ0V2Z2eFh2YkhRczlnQkFDX2gwNmNm4hGR8VyKIc75mMFP81GGiX024nz7Cj6AaA6v7
crI4A%3D%3D

URL: https://xxxxxxxxxxxxx/index.php/admin/authentication/sa/forgotpassword


Remediation:
Contact the vendor of this web application and request the HttpOnly flag be set on session cookies.

How is this done?

Please Log in or Create an account to join the conversation.

LimeSurvey Partners
More
3 months 2 weeks ago #182741 by DenisChenu
You can update it in config.php
manual.limesurvey.org/Optional_settings#Other_sessions_update

Can you report the issue ? Then we made it by default (i don't see why we don't made it currently)

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand .
An error happen ? Before make a new topic : remind the Debug mode .
The following user(s) said Thank You: cdorin

Please Log in or Create an account to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now
Join our Newsletter!