Skip to content
This repository has been archived by the owner on Jan 7, 2020. It is now read-only.

[Security]Uchiwa 0.22.2: SecureFlag missing in AuthenticationToken and XSRF-Token cookie #656

Closed
itsDaksha opened this issue Mar 17, 2017 · 2 comments · Fixed by #661
Closed

[Security]Uchiwa 0.22.2: SecureFlag missing in AuthenticationToken and XSRF-Token cookie #656

itsDaksha opened this issue Mar 17, 2017 · 2 comments · Fixed by #661
Assignees
@palourde
Labels
Security
Milestone
0.23.0

Comments

@itsDaksha
Copy link

Expected Behavior

From security point of view, it is required that SecureFlag must be set in all sensitive cookies.

Current Behavior

Currently, there is no SecureFlag in AuthenticationToken and XSRF-Token cookie

Possible Solution

SecureFlag can be added in HTTP response to avoid any security vulnerability.

Reference: https://www.owasp.org/index.php/SecureFlag
@palourde palourde added this to the 0.23.0 milestone Mar 17, 2017
@palourde
Copy link
Contributor

palourde commented Mar 17, 2017
edited
Loading

Note: We should only set the Secure flag if the connection is encrypted over HTTPS. It should be relatively easy to do here.

@itsDaksha
Copy link
Author

Any possibility of getting this fix in 0.22.x?

@palourde palourde self-assigned this Mar 23, 2017
@palourde palourde mentioned this issue Mar 24, 2017
Merged
8 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@palourde palourde

Labels
Security
Projects
None yet
Milestone
0.23.0
Development

Successfully merging a pull request may close this issue.

Set the Secure flag on authentication coookies for TLS connections palourde/uchiwa
2 participants
@palourde @itsDaksha