[savannah-help-public] [sr #109705] make session cookies httponly

[Ineiev]

Update of sr #109705 (project administration):

Category:None => Savannah website   
  Status:None => Done   
 Assigned to:None => ineiev 
 Open/Closed:Open => Closed 

___

Follow-up Comment #1:

Done.

___

Reply to this item at:

  

___
  Message sent via Savannah
  https://savannah.nongnu.org/

[savannah-help-public] [sr #109705] make session cookies httponly

[Peter Liscovius]

URL:
  

 Summary: make session cookies httponly
 Project: Savannah Administration
Submitted by: peterdd
Submitted on: Tue 11 Jun 2019 07:33:46 PM CEST
Category: None
Priority: 5 - Normal
Severity: 6 - Security
  Status: None
 Assigned to: None
Originator Email: 
Operating System: None
 Open/Closed: Open
 Discussion Lock: Any

___

Details:

The session_hash and session_uid are not httponly, which means javascript
could read document.cookie

So easy fix might changing 

setcookie($name, $value, $expiration, $path, $domain, $secure);

to

setcookie($name, $value, $expiration, $path, $domain, $secure, true);

in frontend/php/include/session.php

see https://www.php.net/manual/en/function.setcookie.php

Also the session cookies are .savannah.gnu.org, not savannah.gnu.org, so any
subdomain tool has access to the session (I see it was intentional made, but
is it used yet anywhere?)

While savannah.gnu.org has content-security-policy default 'self' which makes
XSS harder, the subdomains like https://web.cvs.savannah.gnu.org have not, so
a XSS there could read document.cookie 

By setting the httponly option for session related cookies it would be a bit
harder to exploit a XSS bug.



___

File Attachments:


---
Date: Tue 11 Jun 2019 07:33:46 PM CEST  Name: savane_cookies.png  Size: 241KiB
  By: peterdd



___

Reply to this item at:

  

___
  Message sent via Savannah
  https://savannah.nongnu.org/