View Issue Details

This bug affects 1 person(s).
 254
IDProjectCategoryView StatusLast Update
07631Feature requestsSecuritypublic2016-08-29 10:30
Reporterhesi Assigned Toc_schmitz  
PrioritynormalSeverityfeature 
Status closedResolutionfixed 
Summary07631: Session Cookie XSS protection via HttpOnly flag
Description

Is it possible to set the HttpOnly option within the Session Cookie to implement a Cross Site Scripting mitigation?

The additional secure flag can't be set by default, as some surveys might be processed via unencrypted http connections.

Additional Information

Open Web Application Security Project (OWASP): HttpOnly option
https://www.owasp.org/index.php/HttpOnly

Open Web Application Security Project (OWASP): Testing for cookies attributes (OWASP-SM-002)
https://www.owasp.org/index.php/Testing_for_cookies_attributes_%28OWASP-SM-002%29

Tagsdata integrity, data security
Bug heat254
Story point estimate
Users affected %

Users monitoring this issue

aesteban

Activities

aesteban

aesteban

2013-05-19 16:00

developer   ~25306

This bug is duplicate of 07844, which is already fixed.

Sorry, I created 07844 before finding this one.

Issue History

Date Modified Username Field Change
2013-03-04 10:04 hesi New Issue
2013-03-04 10:05 hesi Tag Attached: data integrity
2013-03-04 10:05 hesi Tag Attached: data security
2013-03-04 21:59 c_schmitz Assigned To => c_schmitz
2013-03-04 21:59 c_schmitz Status new => acknowledged
2013-03-04 22:00 c_schmitz Assigned To c_schmitz =>
2013-05-19 15:57 aesteban Issue Monitored: aesteban
2013-05-19 16:00 aesteban Note Added: 25306
2016-08-29 10:30 c_schmitz Status acknowledged => closed
2016-08-29 10:30 c_schmitz Assigned To => c_schmitz
2016-08-29 10:30 c_schmitz Resolution open => fixed
2016-08-29 10:30 c_schmitz Fixed in Version => 2.5+
2021-08-03 18:20 guest Bug heat 252 => 254