Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-5156

Session cookies are not marked as HttpOnly

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.3, 2.3, 2.4 M1
    • Fix Version/s: 2.4 M1
    • Component/s: {Unused} Core
    • Labels:
      None
    • keywords:
      security, xss
    • Difficulty:
      Medium
    • Similar issues:

      Description

      Reported by the dutch security audit.

      Session cookies (user, password, rememberme, validation, jsessionid) should have an additional HttpOnly flag. Setting this flag prevents accessing those cookies from JavaScript, which prevents one of the most common XSS attacks (stealing cookies aka. session hijacking).

      This flag is supported by most browsers (IE6+, FF, Chrome), other browsers ignore it.

      A lot of useful information can be found here: http://www.owasp.org/index.php/HttpOnly

        Attachments

          Activity

            People

            Assignee:
            sdumitriu Sergiu Dumitriu
            Reporter:
            nickless Alex Busenius
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response: