View Issue Details

IDProjectCategoryView StatusLast Update
14769Bug reportsSecuritypublic2019-09-04 14:08
Reporterbewi Assigned Toc_schmitz  
Status assignedResolutionopen 
Product Version3.17.x 
Summary14769: missing cookie attribute

In order to influence security-relevant properties of cookies, they can be provided with various attributes.

The attribute SameSite prevents the sending of cookies in cross-domain-Requests. Unnecessary information disclosures are thus prevented and an additional protection against Cross-Site Request Forgery (CSRF) attacks is established.
For this attribute there are two values:

  • The value 'strict' ensures that the cookie is not used at all with Cross-domain requests are sent, not even when clicking on external links.
  • The value 'lax' provides cookie transmission for regular GET requests, but prevents CSRF attacks, such as POST requests.
    This attribute should be set to 'lax' for all cookies except exceptions.
TagsNo tags attached.
Complete LimeSurvey version number (& build)3.17.0
I will donate to the project if issue is resolvedNo
Database & DB-Version*
Server OS (if known)
Webserver software & version (if known)
PHP Version*


related to 14766 closedc_schmitz Bug reports Limesurvey doesn't correctly handle multiple PHPSESSID cookies 
related to 14772 assignedDenisChenu Development  Review default config.php when installing 
related to 15142 assignedc_schmitz Bug reports Limesurvey has Missing Cookie Security Attributes 




2019-04-12 11:21

developer   ~51452

Can be fixed (i think) in config.php :

But we can set is as «the most secure we can» in a new install (in the generated config.php)

Don't know for internal (forced Yii config, config.php can update it).

Issue History

Date Modified Username Field Change
2019-04-12 11:00 bewi New Issue
2019-04-12 11:21 DenisChenu Note Added: 51452
2019-04-12 12:50 DenisChenu Relationship added related to 14766
2019-04-12 12:50 DenisChenu Relationship added related to 14772
2019-08-08 21:28 jelo Relationship added related to 15142
2019-09-04 14:08 cdorin Assigned To => c_schmitz
2019-09-04 14:08 cdorin Status new => assigned