Wedge

Public area => Bug reports => The Pub => Archived fixes => Topic started by: CerealGuy on September 4th, 2015, 10:54 PM

Title: [Cookies] httponly not correctly set
Post by: CerealGuy on September 4th, 2015, 10:54 PM

Wedge already wants to do that (setting httponly) but it misses some true arguments on setcookie().
Httponly basically forbids the browser/js to access document.cookies which prevents bad exploitation of xss (otherwise the cookie could get stolen).
https://www.owasp.org/index.php/HttpOnly

https://github.com/C3realGuy/wedge/commit/71a066380d1301a82c95cc5144039edceca98c9e

Title: Re: [Cookies] httponly not correctly set
Post by: Nao on September 13th, 2015, 03:20 PM

Wasn't aware of this.
Looks like all other setcookie calls were setting that flag already, there were only two missing, which you caught.

Please review my changes! (I would have integrated yours directly and not bothered, but you didn't make a PR so I made more changes :P)

Title: Re: [Cookies] httponly not correctly set
Post by: CerealGuy on January 9th, 2016, 04:39 PM

This was fixed:
https://github.com/Wedge/wedge/commit/0cd910721ca98c591928f284d5bd785c59142434