sessionid and csrftoken cookies secure & httpOnly flags

VERIFIED DUPLICATE of bug 564278

Status

addons.mozilla.org Graveyard
Public Pages
VERIFIED DUPLICATE of bug 564278
8 years ago
2 years ago

People

(Reporter: 0x5042, Unassigned)

Tracking

Details

(URL)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Ubuntu/10.10 Chromium/8.0.552.224 Chrome/8.0.552.224 Safari/534.10
Build Identifier: 5.12.6

sessionid cookie isn't set with httpOnly flag so it can be accessed from javascript. This could be used in some XSS attacks. csrftoken cookie isn't set with httpOnly and secure flags. It could be accessed from javascript and it could be send on insecure channel.

Reproducible: Always

Steps to Reproduce:
1. Login to AMO
2. Go to 'Edit Profile'
3. Look at cookie properties set by AMO
Actual Results:  
sessionid: doesn't set httpOnly
csrftoken: doesn't set httpOnly and secure

Expected Results:  
To mitigate XSS attacks both cookies should be set with 'httpOnly' flag (http://www.owasp.org/index.php/HttpOnly). The 'csrftoken' cookie also should be secured with 'secure' cookie flag.
Severity: enhancement → normal
Component: Add-on Security → Public Pages
OS: Linux → All
QA Contact: security → web-ui
Hardware: x86 → All

Updated

8 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 564278
Verified duplicate.
Status: RESOLVED → VERIFIED
Group: client-services-security
(Assignee)

Updated

2 years ago
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.