http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102 Bug ID: 9102 Summary: [SECURITY] We should set httponly on our session cookie Classification: Unclassified Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: OPAC Assignee: oleonard@myacpl.org Reporter: chris@bigballofwax.co.nz https://www.owasp.org/index.php/HttpOnly If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party. If a browser does not support HttpOnly and a website attempts to set an HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie (typically your session cookie) becomes vulnerable to theft of modification by malicious script. There is no reason for the client side to be accessing the session cookie, so for browsers that supports this, this helps protect the user from malicious javascript. -- You are receiving this mail because: You are watching all bug changes.