Dependency Graph

Dependency Graph
related to related to child of child of duplicate of duplicate of

View Issue Details

This bug affects 1 person(s).
 254
IDProjectCategoryView StatusLast Update
14769Bug reportsSecuritypublic2021-03-10 22:59
Reporterbewi Assigned Toc_schmitz  
PrioritynoneSeverityminor 
Status closedResolutionduplicate 
Product Version3.17.x 
Summary14769: missing cookie attribute
Description

In order to influence security-relevant properties of cookies, they can be provided with various attributes.

The attribute SameSite prevents the sending of cookies in cross-domain-Requests. Unnecessary information disclosures are thus prevented and an additional protection against Cross-Site Request Forgery (CSRF) attacks is established.
For this attribute there are two values:

  • The value 'strict' ensures that the cookie is not used at all with Cross-domain requests are sent, not even when clicking on external links.
  • The value 'lax' provides cookie transmission for regular GET requests, but prevents CSRF attacks, such as POST requests.
    This attribute should be set to 'lax' for all cookies except exceptions.
TagsNo tags attached.
Bug heat254
Complete LimeSurvey version number (& build)3.17.0
I will donate to the project if issue is resolvedNo
Browser
Database type & version*
Server OS (if known)
Webserver software & version (if known)
PHP Version*

Relationships

related to 14766 closedc_schmitz Bug reports Limesurvey doesn't correctly handle multiple PHPSESSID cookies 
related to 15142 closedc_schmitz Bug reports Limesurvey has Missing Cookie Security Attributes 

Activities

DenisChenu

DenisChenu

2019-04-12 11:21

developer   ~51452

Can be fixed (i think) in config.php : https://manual.limesurvey.org/Optional_settings#Other_sessions_update

But we can set is as «the most secure we can» in a new install (in the generated config.php)

Don't know for internal (forced Yii config, config.php can update it).

Issue History

Date Modified Username Field Change
2019-04-12 11:00 bewi New Issue
2019-04-12 11:21 DenisChenu Note Added: 51452
2019-04-12 11:22 DenisChenu Issue Monitored: DenisChenu
2019-04-12 12:50 DenisChenu Relationship added related to 14766
2019-08-08 21:28 jelo Relationship added related to 15142
2019-09-04 14:08 cdorin Assigned To => c_schmitz
2019-09-04 14:08 cdorin Status new => assigned
2021-03-10 22:59 ollehar Status assigned => closed
2021-03-10 22:59 ollehar Resolution open => duplicate