View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0010709 | mantisbt | security | public | 2009-07-10 23:20 | 2009-10-07 14:19 |
Reporter | dhx | Assigned To | dhx | ||
Priority | normal | Severity | feature | Reproducibility | N/A |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.0rc2 | ||||
Target Version | 1.2.0rc2 | Fixed in Version | 1.2.0rc2 | ||
Summary | 0010709: Use HttpOnly cookie flag to protect cookies from client-side Javascript manipulation/theft | ||||
Description | See http://www.owasp.org/index.php/HTTPOnly for further information if you haven't heard of this before. | ||||
Tags | No tags attached. | ||||
MantisBT: master-1.2.x 2a6892bc 2009-07-11 01:11 Details Diff |
Teach MantisBT to bake tough cookies The Secure cookie flag is now set for all cookies when the user is browsing via a TLS protected connection. Originally this flag was only set for the PHP session ID cookie. MantisBT now supports the HttpOnly cookie flag and will use it when possible (PHP 5.2.0 is required). This flag tells the client browser to deny Javascript access to the cookie (both reading and writing). As such, this flag is very useful in providing another layer of protection against XSS attacks. The gpc_set_cookie function has an additional parameter to disable the HttpOnly flag on a per-cookie basis. This parameter should be set to false when sending a cookie to the client that client-side Javascript needs to read or write. Fixes 0010709,0010712 |
Affected Issues 0010709, 0010712 |
|
mod - core/session_api.php | Diff File | ||
mod - core/gpc_api.php | Diff File | ||
MantisBT: master 58a67eef 2009-07-11 01:11 Details Diff |
Teach MantisBT to bake tough cookies The Secure cookie flag is now set for all cookies when the user is browsing via a TLS protected connection. Originally this flag was only set for the PHP session ID cookie. MantisBT now supports the HttpOnly cookie flag and will use it when possible (PHP 5.2.0 is required). This flag tells the client browser to deny Javascript access to the cookie (both reading and writing). As such, this flag is very useful in providing another layer of protection against XSS attacks. The gpc_set_cookie function has an additional parameter to disable the HttpOnly flag on a per-cookie basis. This parameter should be set to false when sending a cookie to the client that client-side Javascript needs to read or write. Fixes 0010709,0010712 |
Affected Issues 0010709, 0010712 |
|
mod - core/session_api.php | Diff File | ||
mod - core/gpc_api.php | Diff File |