Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

FIX: Non-HttpOnly Session Cookies Identified

  • eyeballs
  • eyeballs's Avatar Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
4 years 11 months ago #182734 by eyeballs
Hi Everyone!

The second issue I am seeing after fresh install of limesurvey on ubuntu 18.04 and Apache2 is: Non-HttpOnly Session Cookies Identified.

Specifically:

The website software running on this server appears to be setting session
cookies without the HttpOnly flag set. This means the session identifier
information in these cookies is susceptible to attacks such as Cross-site Scripting
which may allow attackers to read this cookie's data.

CVSSv2: AV:N/AC:L/Au:N/C:N/I:P/A:N (5.00)

Service: apache:http_server

Evidence:

Cookie HttpOnly Flag: false


Cookie Name: YII_CSRF_TOKEN

Cookie Value:
dXV3ZldSa3VkVTQ0V2Z2eFh2YkhRczlnQkFDX2gwNmNm4hGR8VyKIc75mMFP81GGiX024nz7Cj6AaA6v7
crI4A%3D%3D

URL: https://xxxxxxxxxxxxx/index.php/admin/authentication/sa/forgotpassword


Remediation:
Contact the vendor of this web application and request the HttpOnly flag be set on session cookies.

How is this done?
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
4 years 11 months ago #182741 by DenisChenu
Replied by DenisChenu on topic FIX: Non-HttpOnly Session Cookies Identified
You can update it in config.php
manual.limesurvey.org/Optional_settings#Other_sessions_update

Can you report the issue ? Then we made it by default (i don't see why we don't made it currently)

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The following user(s) said Thank You: cdorin
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose