[Koha-bugs] [Bug 9102] [SECURITY] We should set httponly on our session cookie
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Jan 3 08:36:04 CET 2013
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9102
Katrin Fischer <katrin.fischer at bsz-bw.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #13580|0 |1
is obsolete| |
--- Comment #12 from Katrin Fischer <katrin.fischer at bsz-bw.de> ---
Created attachment 14384
-->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=14384&action=edit
[SIGNED-OFF] Bug 9102 : Set HttpOnly on the CGISESSID cookie
https://www.owasp.org/index.php/HttpOnly
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83 at web.de>
To test, use curl
Before the patch
% curl -I http://192.168.2.135
HTTP/1.1 200 OK
Date: Sun, 18 Nov 2012 06:56:49 GMT
Server: Apache/2.2.22 (Ubuntu)
Pragma: no-cache
Cache-control: no-cache
Content-script-type: text/javascript
Content-style-type: text/css
Set-Cookie: CGISESSID=19689f6e7d8ec94c25269fecebf2f009; path=/
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
After patch
% curl -I http://192.168.2.135
HTTP/1.1 200 OK
Date: Sun, 18 Nov 2012 07:01:04 GMT
Server: Apache/2.2.22 (Ubuntu)
Pragma: no-cache
Cache-control: no-cache
Content-script-type: text/javascript
Content-style-type: text/css
Set-Cookie: CGISESSID=da25baf03c0bc1e2c512a627028e43e6; path=/; HttpOnly
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list