Closed Bug 1054396 Opened 10 years ago Closed 9 years ago

HTTPOnly flag not set on session cookie

Categories

(developer.mozilla.org :: Security, defect)

defect
Not set
major

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: curtisk, Unassigned)

References

()

Details

(Keywords: sec-low, wsec-cookie)

Description: A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible. URL: https://ffdevtools.uservoice.com/session
Summary: Secure flag not set on session cookie → HTTPOnly flag not set on session cookie
HTTP/1.1 200 OK Server: nginx/1.7.1 Date: Fri, 15 Aug 2014 17:23:28 GMT Content-Type: application/json; charset=utf-8 Connection: keep-alive Status: 200 OK X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-UA-Compatible: chrome=1 P3P: CP="ALL DSP COR CURa ADMa DEVa OUR IND COM NAV" X-Rack-Cache: invalidate, pass ETag: "de3d213cfc64fdf1af9707584acb4ee9" Cache-Control: max-age=0, private, must-revalidate Set-Cookie: _uservoice_uid=791fbdb2a0959d23f65a021845cd6fbd4fb9d0f7; path=/; expires=Fri, 10 Oct 2014 17:23:28 -0000 X-Request-Id: f3c5ea4f-1235-4342-ba80-0c2052ca8828 X-Runtime: 0.054657
Severity: normal → major
Adding all MDN devs to cc list of these security bugs.
Robert - UserVoice will have to fix this on their side.
Flags: needinfo?(robert)
I've contacted UserVoice with this information and waiting to hear back from them.
Flags: needinfo?(robert)
UserVoice cookies appear to be set with HttpOnly now.
Status: NEW → RESOLVED
Closed: 10 years ago
Keywords: sec-low, wsec-cookie
Resolution: --- → FIXED
No, I was incorrect. Still testing.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Axel, can you please work with uservoice to get this addressed?
Looks like this is fixed now: $ curl -v "https://ffdevtools.uservoice.com/session" * Trying 104.16.92.65... * Connected to ffdevtools.uservoice.com (104.16.92.65) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * ALPN, server accepted to use http/1.1 * SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=ssl149278.cloudflaressl.com,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated * start date: Jan 04 00:00:00 2016 GMT * expire date: Dec 31 23:59:59 2016 GMT * common name: ssl149278.cloudflaressl.com * issuer: CN=COMODO ECC Domain Validation Secure Server CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB > GET /session HTTP/1.1 > Host: ffdevtools.uservoice.com > User-Agent: curl/7.43.0 > Accept: */* > < HTTP/1.1 302 Found < Server: cloudflare-nginx < Date: Fri, 26 Feb 2016 15:27:59 GMT < Content-Type: text/html; charset=utf-8 < Content-Length: 105 < Connection: keep-alive < Set-Cookie: __cfduid=d9533afe9de184588a5124509e86e9cd51456500479; expires=Sat, 25-Feb-17 15:27:59 GMT; path=/; domain=.uservoice.com; HttpOnly < Status: 302 Found < X-Frame-Options: SAMEORIGIN < X-XSS-Protection: 1; mode=block < X-Content-Type-Options: nosniff < X-UA-Compatible: chrome=1 < Location: https://ffdevtools.uservoice.com/signin < P3P: CP="ALL DSP COR CURa ADMa DEVa OUR IND COM NAV" < X-Rack-Cache: miss < Cache-Control: no-cache < Set-Cookie: _session_id=c956938309f0fd30422877a906f8f16c; path=/; HttpOnly; Secure < X-Request-Id: 90953862-8e74-4dca-a822-72b3a47fd7ee < X-Runtime: 0.021689 < CF-RAY: 27acad5aa8472168-EWR < * Connection #0 to host ffdevtools.uservoice.com left intact <html><body>You are being <a href="https://ffdevtools.uservoice.com/signin">redirected</a>.</body></html> Given that this isn't assigned to anyone and it doesn't appear to be on anyone's plate, I'm going to mark it as FIXED. If the curl output above looks wrong and/or I didn't use the right steps to reproduce, please re-open.
Status: REOPENED → RESOLVED
Closed: 10 years ago9 years ago
Resolution: --- → FIXED
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.