savannah-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[savannah-help-public] [sr #109705] make session cookies httponly

From: Peter Liscovius
Subject: [savannah-help-public] [sr #109705] make session cookies httponly
Date: Tue, 11 Jun 2019 13:33:48 -0400 (EDT)
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:67.0) Gecko/20100101 Firefox/67.0 
URL:
  <https://savannah.nongnu.org/support/?109705>

                 Summary: make session cookies httponly
                 Project: Savannah Administration
            Submitted by: peterdd
            Submitted on: Tue 11 Jun 2019 07:33:46 PM CEST
                Category: None
                Priority: 5 - Normal
                Severity: 6 - Security
                  Status: None
             Assigned to: None
        Originator Email: 
        Operating System: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

The session_hash and session_uid are not httponly, which means javascript
could read document.cookie

So easy fix might changing 

setcookie($name, $value, $expiration, $path, $domain, $secure);

to

setcookie($name, $value, $expiration, $path, $domain, $secure, true);

in frontend/php/include/session.php

see https://www.php.net/manual/en/function.setcookie.php

Also the session cookies are .savannah.gnu.org, not savannah.gnu.org, so any
subdomain tool has access to the session (I see it was intentional made, but
is it used yet anywhere?)

While savannah.gnu.org has content-security-policy default 'self' which makes
XSS harder, the subdomains like https://web.cvs.savannah.gnu.org have not, so
a XSS there could read document.cookie 

By setting the httponly option for session related cookies it would be a bit
harder to exploit a XSS bug.



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Tue 11 Jun 2019 07:33:46 PM CEST  Name: savane_cookies.png  Size: 241KiB
  By: peterdd

<http://savannah.nongnu.org/support/download.php?file_id=47075>

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/support/?109705>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]