Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-5156

Session cookies are not marked as HttpOnly

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 2.4 M1
    • 2.2.3, 2.3, 2.4 M1
    • {Unused} Core
    • None
    • security, xss
    • Medium

    Description

      Reported by the dutch security audit.

      Session cookies (user, password, rememberme, validation, jsessionid) should have an additional HttpOnly flag. Setting this flag prevents accessing those cookies from JavaScript, which prevents one of the most common XSS attacks (stealing cookies aka. session hijacking).

      This flag is supported by most browsers (IE6+, FF, Chrome), other browsers ignore it.

      A lot of useful information can be found here: http://www.owasp.org/index.php/HttpOnly

      Attachments

        Activity

          People

            sdumitriu Sergiu Dumitriu
            nickless Alex Busenius
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: