Relationship Graph View Issue Dependency Graph
related to child of duplicate of

View Issue Details

IDProjectCategoryView StatusLast Update
14769Bug reports[All Projects] Securitypublic2019-08-08 21:28
ReporterbewiAssigned To 
PrioritynoneSeverityminor 
Status newResolutionopen 
Product Version3.17.x 
Target VersionFixed in Version 
Summary14769: missing cookie attribute
Description

In order to influence security-relevant properties of cookies, they can be provided with various attributes.

The attribute SameSite prevents the sending of cookies in cross-domain-Requests. Unnecessary information disclosures are thus prevented and an additional protection against Cross-Site Request Forgery (CSRF) attacks is established.
For this attribute there are two values:

  • The value 'strict' ensures that the cookie is not used at all with Cross-domain requests are sent, not even when clicking on external links.
  • The value 'lax' provides cookie transmission for regular GET requests, but prevents CSRF attacks, such as POST requests.
    This attribute should be set to 'lax' for all cookies except exceptions.
TagsNo tags attached.
Complete LimeSurvey version number (& build)3.17.0
I will donate to the project if issue is resolvedNo
Browser
Database & DB-Version*
Server OS (if known)
Webserver software & version (if known)
PHP Version*

Activities

DenisChenu

DenisChenu

2019-04-12 11:21

developer   ~51452

Can be fixed (i think) in config.php : https://manual.limesurvey.org/Optional_settings#Other_sessions_update

But we can set is as «the most secure we can» in a new install (in the generated config.php)

Don't know for internal (forced Yii config, config.php can update it).

Issue History

Date Modified Username Field Change
2019-04-12 11:00 bewi New Issue
2019-04-12 11:21 DenisChenu Note Added: 51452
2019-04-12 12:50 DenisChenu Relationship added related to 14766
2019-04-12 12:50 DenisChenu Relationship added related to 14772
2019-08-08 21:28 jelo Relationship added related to 15142