Closed Bug 647283 Opened 14 years ago Closed 9 years ago

set HTTPOnly and Secure flags for cookies

Tracking

(Not tracked)

Status:

RESOLVED FIXED

People

(Reporter: dchanm+bugzilla, Assigned: jslater)

References

(
URL
)

Details

(Keywords: sec-moderate, Whiteboard: [infrasec:cookie][ws:moderate])

David Chan [:dchan]

Reporter

Description

•

14 years ago

The store currently doesn't set the HTTPonly and Secure flag for session cookies (osCsid) . Enabling these flags reduces the risk session exposure from an XSS attack and insecure transmission of session cookie. Steps to reproduce 1. Log into international store 2. Notice that osCsid cookie and other cookies do not have secure and httponly flag Recommended remediation Update the application to set these flags http://www.owasp.org/index.php/HttpOnly

Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]

Updated

•

13 years ago

Keywords: sec-moderate

Adam Muntner [:adamm] (use NEEDINFO)

Comment 1

•

9 years ago

intlstore is decommissioned

Group: websites-security

Status: NEW → RESOLVED

Closed: 9 years ago

Resolution: --- → FIXED

You need to log in before you can comment on or make changes to this bug.

Bugzilla

set HTTPOnly and Secure flags for cookies

Categories

(Websites :: intlstore.mozilla.org, defect)

Tracking

(Not tracked)

People

(Reporter: dchanm+bugzilla, Assigned: jslater)

References

(
URL
)

Details

(Keywords: sec-moderate, Whiteboard: [infrasec:cookie][ws:moderate])

Crash Data

Security

(public)

User Story

Description

Updated

Comment 1