[Koha-bugs] [Bug 9102] New: [SECURITY] We should set httponly on our session cookie
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Sun Nov 18 08:00:11 CET 2012
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102
Bug ID: 9102
Summary: [SECURITY] We should set httponly on our session
cookie
Classification: Unclassified
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5 - low
Component: OPAC
Assignee: oleonard at myacpl.org
Reporter: chris at bigballofwax.co.nz
https://www.owasp.org/index.php/HttpOnly
If the HttpOnly flag (optional) is included in the HTTP response header, the
cookie cannot be accessed through client side script (again if the browser
supports this flag). As a result, even if a cross-site scripting (XSS) flaw
exists, and a user accidentally accesses a link that exploits this flaw, the
browser (primarily Internet Explorer) will not reveal the cookie to a third
party.
If a browser does not support HttpOnly and a website attempts to set an
HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus
creating a traditional, script accessible cookie. As a result, the cookie
(typically your session cookie) becomes vulnerable to theft of modification by
malicious script.
There is no reason for the client side to be accessing the session cookie, so
for browsers that supports this, this helps protect the user from malicious
javascript.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list