View Issue Details

Jump to NotesJump to History
This issue affects 1 person(s).
 254
IDProjectCategoryView StatusDate SubmittedLast Update
15142Bug reportsSecuritypublic2019-08-07 14:532021-07-12 14:04
Reporterma77ie Assigned Toc_schmitz  
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version3.17.x 
Summary15142: Limesurvey has Missing Cookie Security Attributes
Description

Limesurvey creates cookies that have weak attributes which compromises their security. In particular PHPSESSID cookie doesn't have SameSite set and YII_CSRF_TOKEN doesn't have HttpOnly & SameSite set.

Steps To Reproduce

View cookies in a browser, for example in FireFox select Web Developer / Storage Inspector from the menu and view cookies. Yellow box on attached screenshot shows HttpOnly and/or SameSite attributes not set for these cookies.

TagsNo tags attached.
Attached Files
limesurvey cookies.png (172,897 bytes)
Bug heat254
Complete LimeSurvey version number (& build)3.17.9+190731
I will donate to the project if issue is resolvedNo
Browser
Database type & versionMySQL 5.7.20
Server OS (if known)
Webserver software & version (if known)
PHP Version7.0.33

Relationships

Relationship GraphDependency Graph
related to 14769 closedc_schmitz missing cookie attribute 

Users monitoring this issue

There are no users monitoring this issue.

Activities

ollehar

ollehar

2021-03-10 22:59

administrator   ~63233

Please update to the latest version and check if the bug can still be reproduced. Thank you.
c_schmitz

c_schmitz

2021-07-12 14:04

administrator   ~65376

Hello ma77ie,
I checked this with the latest version and could not reproduce, so this is most likely fixed for good.
Therefore, I am closing this issue. If you still can reproduce the issue using the latest version, please feel free to re-open the issue.
Thank you!

c_schmitz

Issue History

Date Modified Username Field Change
2019-08-07 14:53 ma77ie New Issue
2019-08-07 14:53 ma77ie File Added: limesurvey cookies.png
2019-08-08 21:28 jelo Relationship added related to 14769
2019-09-04 14:08 cdorin Assigned To => c_schmitz
2019-09-04 14:08 cdorin Status new => assigned
2021-03-10 22:59 ollehar Status assigned => feedback
2021-03-10 22:59 ollehar Note Added: 63233
2021-07-12 14:04 c_schmitz Status feedback => closed
2021-07-12 14:04 c_schmitz Resolution open => fixed
2021-07-12 14:04 c_schmitz Note Added: 65376