request #9166 Missing HTTPOnly flag on PHP session cookie

Artifact

Infos

Artifact ID#9166

Submitted byThomas Gerbet (tgerbet)

Last Modified On2016-12-22 13:35

Submitted on2016-05-20 15:02

Rank9439

Details

Summary *

Missing HTTPOnly flag on PHP session cookie

Original Submission

The session cookie used by PHP can be accessed by client side script code.

Impact

The content of the cookie can be stolen by an attacker to mount more complex attacks.
CVSS3 score: 5.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

References

https://www.owasp.org/index.php/HttpOnly
https://tools.ietf.org/html/rfc6265#section-5.2.6

CategoryOther

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toEmpty

StatusClosed

Close date2016-05-23

Attachments

Connected artifacts

Artifact links

Empty

Reverse artifact links

Releases

AttachmentsEmpty

References

Cross references

Referencing request #9166

Artifact Tracker v5

rel #8982 8.15

Git commit

tuleap/tuleap/stable

Merge commit 'refs/changes/29/5729/2' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD fb010e2b8a

Yannis ROSSETTO (rossettoy) , 2016-05-23 10:37

request #9166: Session cookie have the flag HTTPOnly and Secure if possible ad3c2e187d

Thomas Gerbet (tgerbet) , 2016-05-23 09:02

Show items referenced by request #9166

Referenced by request #9166

Other

gerrit #5729

Follow-ups

Thomas Gerbet (tgerbet)

2016-12-22 13:35

Public disclosure.

Thomas Gerbet (tgerbet)

2016-05-23 12:02

Integrated into Tuleap 8.14.99.75.

Status changed from Under review to Closed
Close date set to 2016-05-23

Thomas Gerbet (tgerbet)

2016-05-20 18:06

A patch is under review: gerrit #5729.

Status changed from Under implementation to Under review