Hi Everyone!

The second issue I am seeing after fresh install of limesurvey on ubuntu 18.04 and Apache2 is: Non-HttpOnly Session Cookies Identified.

Specifically:

The website software running on this server appears to be setting session
cookies without the HttpOnly flag set. This means the session identifier
information in these cookies is susceptible to attacks such as Cross-site Scripting
which may allow attackers to read this cookie's data.

CVSSv2: AV:N/AC:L/Au:N/C:N/I:P/A:N (5.00)

Service: apache:http_server

Evidence:

Cookie HttpOnly Flag: false


Cookie Name: YII_CSRF_TOKEN

Cookie Value:
dXV3ZldSa3VkVTQ0V2Z2eFh2YkhRczlnQkFDX2gwNmNm4hGR8VyKIc75mMFP81GGiX024nz7Cj6AaA6v7
crI4A%3D%3D

URL: https://xxxxxxxxxxxxx/index.php/admin/authentication/sa/forgotpassword


Remediation:
Contact the vendor of this web application and request the HttpOnly flag be set on session cookies.

How is this done?

You can update it in config.php
www.limesurvey.org/manual/Optional_setti...ther_sessions_update

Can you report the issue ? Then we made it by default (i don't see why we don't made it currently)