View Issue Details

IDProjectCategoryView StatusLast Update
15142Bug reports[All Projects] Securitypublic2019-08-08 21:28
Reporterma77ieAssigned To 
Status newResolutionopen 
Product Version3.17.x 
Target VersionFixed in Version 
Summary15142: Limesurvey has Missing Cookie Security Attributes

Limesurvey creates cookies that have weak attributes which compromises their security. In particular PHPSESSID cookie doesn't have SameSite set and YII_CSRF_TOKEN doesn't have HttpOnly & SameSite set.

Steps To Reproduce

View cookies in a browser, for example in FireFox select Web Developer / Storage Inspector from the menu and view cookies. Yellow box on attached screenshot shows HttpOnly and/or SameSite attributes not set for these cookies.

TagsNo tags attached.
Complete LimeSurvey version number (& build)3.17.9+190731
I will donate to the project if issue is resolvedNo
Database & DB-VersionMySQL 5.7.20
Server OS (if known)
Webserver software & version (if known)
PHP Version7.0.33


related to 14769 new missing cookie attribute 




2019-08-07 14:53


limesurvey cookies.png (172,897 bytes)

Issue History

Date Modified Username Field Change
2019-08-07 14:53 ma77ie New Issue
2019-08-07 14:53 ma77ie File Added: limesurvey cookies.png
2019-08-08 21:28 jelo Relationship added related to 14769