View Issue Details

IDProjectCategoryView StatusLast Update
15142Bug reportsSecuritypublic2019-09-04 14:08
Reporterma77ie Assigned Toc_schmitz  
Status assignedResolutionopen 
Product Version3.17.x 
Summary15142: Limesurvey has Missing Cookie Security Attributes

Limesurvey creates cookies that have weak attributes which compromises their security. In particular PHPSESSID cookie doesn't have SameSite set and YII_CSRF_TOKEN doesn't have HttpOnly & SameSite set.

Steps To Reproduce

View cookies in a browser, for example in FireFox select Web Developer / Storage Inspector from the menu and view cookies. Yellow box on attached screenshot shows HttpOnly and/or SameSite attributes not set for these cookies.

TagsNo tags attached.
Complete LimeSurvey version number (& build)3.17.9+190731
I will donate to the project if issue is resolvedNo
Database & DB-VersionMySQL 5.7.20
Server OS (if known)
Webserver software & version (if known)
PHP Version7.0.33


related to 14769 assignedc_schmitz missing cookie attribute 




2019-08-07 14:53


limesurvey cookies.png (172,897 bytes)

Issue History

Date Modified Username Field Change
2019-08-07 14:53 ma77ie New Issue
2019-08-07 14:53 ma77ie File Added: limesurvey cookies.png
2019-08-08 21:28 jelo Relationship added related to 14769
2019-09-04 14:08 cdorin Assigned To => c_schmitz
2019-09-04 14:08 cdorin Status new => assigned