LimeSurvey issue tracker
Registration

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
07631Feature requests[All Projects] Securitypublic2013-03-04 10:042013-05-19 16:00
Reporterhesi 
Assigned To 
PrioritynormalSeverityfeature 
StatusacknowledgedResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary07631: Session Cookie XSS protection via HttpOnly flag
DescriptionIs it possible to set the HttpOnly option within the Session Cookie to implement a Cross Site Scripting mitigation?

The additional secure flag can't be set by default, as some surveys might be processed via unencrypted http connections.
Additional InformationOpen Web Application Security Project (OWASP): HttpOnly option
https://www.owasp.org/index.php/HttpOnly [^]

Open Web Application Security Project (OWASP): Testing for cookies attributes (OWASP-SM-002)
https://www.owasp.org/index.php/Testing_for_cookies_attributes_%28OWASP-SM-002%29 [^]
Tagsdata integrity, data security
Attached Files

- Relationships

-  Notes
User avatar (25306)
aesteban (reporter)
2013-05-19 16:00

This bug is duplicate of 07844, which is already fixed.

Sorry, I created 07844 before finding this one.

Issue Community Support
Only registered users can voice their support. Click here to register, or here to log in.
Supporters: c_schmitz
Opponents: No one explicitly opposes this issue yet.

- Issue History
Date Modified Username Field Change
2013-03-04 10:04 hesi New Issue
2013-03-04 10:05 hesi Tag Attached: data integrity
2013-03-04 10:05 hesi Tag Attached: data security
2013-03-04 21:59 c_schmitz Assigned To => c_schmitz
2013-03-04 21:59 c_schmitz Status new => acknowledged
2013-03-04 22:00 c_schmitz Assigned To c_schmitz =>
2013-05-19 16:00 aesteban Note Added: 25306


Copyright © 2000 - 2014 MantisBT Team
Powered by Mantis Bugtracker