Closed Bug 854165 Opened 12 years ago Closed 12 years ago

Session cookies are not HTTPOnly

Categories

(developer.mozilla.org :: Security, defect)

Product:
developer.mozilla.org
Component:
Security
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: rforbes, Assigned: jsocol)

References

Details

(Keywords: sec-high)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:22.0) Gecko/20130319 Firefox/22.0 Build ID: 20130319030939 Steps to reproduce: The session cookie is not protected with the HTTPOnly or secure flag.
I was able to steal a users session by taking the session cookie and inserting it into a new browser session.
Severity: normal → critical
Component: General → Security
Keywords: sec-high
We'll need to update Django to get the HTTPOnly setting, but we just need: SESSION_COOKIE_SECURE = True SESSION_COOKIE_HTTPONLY = True in settings. Given that all traffic is over SSL, I'm surprised the former wasn't set already.
Assignee: nobody → james
SESSION_COOKIE_SECURE is already set to True in Kuma's settings. https://github.com/mozilla/kuma/blob/master/settings.py#L731 Added HTTPONLY in a pull req: https://github.com/mozilla/kuma/pull/955
:rforbes - How did you steal the session cookie? I don't see it submitted over HTTP from my browser.
i stole it by hand just to test to see if it works. We recently had a XSS vulnerability submitted for MDN which is a typical way of grabbing the session cookie.
(In reply to Raymond Forbes[:rforbes] from comment #5) > i stole it by hand just to test to see if it works. We recently had a XSS > vulnerability submitted for MDN which is a typical way of grabbing the > session cookie. "stole it by hand"? I'm not sure I follow. Were you able to get the browser to transmit it over HTTP? XSS will be mitigated by HTTPOnly, which depends on bug 841772. (In reply to Raymond Forbes[:rforbes] from comment #1) > I was able to steal a users session by taking the session cookie and > inserting it into a new browser session. Does this mean you went into the browser settings, got the cookie value, went into a new browser, set the cookie value, and were logged in? That's pretty much expected behavior.
I stole it by hand by opening two browsers, grabbing the cookie value and inserting into the other browser. i realize this is expected when you do only client side session validation but if we do that we have to be extra careful of things like XSS and making sure the cookie has httponly flag set. as long as the flag isn't set and we validate based on the client the session will be vulnerable.
I'm throwing out my other confusion and questions: It sounds like the only issue is that we don't have the HTTPOnly flag, is that correct? Assuming that's correct, this depends on bug 841772, and I've set it as a blocker.
Depends on: 841772
Summary: MDN session cookie not protected → Session cookies are not HTTPOnly
yup, that's the one issue i was trying to bring up with this bug.
I no longer see the sessionid in document.cookie. Might need to sign out and back in or clear the cookie to get the new httponly version.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Version: other → unspecified
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.