Project

General

Profile

Actions

Bug #78835

closed

Cookie be_lastLoginProvider doesn't respect httpOnly and Secure flags

Added by Bas v.d. Wiel about 8 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2016-11-29
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
8
PHP Version:
7.0
Tags:
Complexity:
Is Regression:
No
Sprint Focus:
On Location Sprint

Description

My vulnerability scanner keeps firing on be_lastLoginProvider cookie not being secure and httpOnly.

Actions #1

Updated by Markus Klein about 8 years ago

  • Project changed from TYPO3 Core to 1716
Actions #2

Updated by Gerrit Code Review about 8 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50808

Actions #3

Updated by Markus Klein about 8 years ago

  • Project changed from 1716 to TYPO3 Core
  • Status changed from Under Review to Needs Feedback
  • Is Regression set to No

This cookie is not security relevant at all. It simply stores your last login form provider.
What additional measures would you expect from it?

Actions #4

Updated by Markus Klein about 8 years ago

  • Status changed from Needs Feedback to Under Review
Actions #5

Updated by Gerrit Code Review about 8 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50808

Actions #6

Updated by Gerrit Code Review about 8 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50808

Actions #7

Updated by Bas v.d. Wiel about 8 years ago

Whether the cookie is security relevant or not by its content shouldn't matter if you ask me. The default behavior should be prudent in that any cookie being set should be set with the secure flag if it's being served over https, and httpOnly if that doesn't impede its function.

Actions #8

Updated by Anja Leichsenring about 8 years ago

  • Sprint Focus set to On Location Sprint
Actions #9

Updated by Gerrit Code Review about 8 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50808

Actions #10

Updated by Gerrit Code Review about 8 years ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50808

Actions #11

Updated by Gerrit Code Review about 8 years ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50808

Actions #12

Updated by Gerrit Code Review about 8 years ago

Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50808

Actions #13

Updated by Gerrit Code Review about 8 years ago

Patch set 8 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50808

Actions #14

Updated by Gerrit Code Review about 8 years ago

Patch set 9 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50808

Actions #15

Updated by Gerrit Code Review almost 8 years ago

Patch set 10 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50808

Actions #16

Updated by Gerrit Code Review almost 8 years ago

Patch set 11 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50808

Actions #17

Updated by Gerrit Code Review almost 8 years ago

Patch set 12 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50808

Actions #18

Updated by Gerrit Code Review almost 8 years ago

Patch set 13 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50808

Actions #19

Updated by Gerrit Code Review almost 8 years ago

Patch set 14 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50808

Actions #20

Updated by Gerrit Code Review almost 8 years ago

Patch set 15 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50808

Actions #21

Updated by Gerrit Code Review almost 8 years ago

Patch set 16 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50808

Actions #22

Updated by Gerrit Code Review almost 8 years ago

Patch set 17 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/50808

Actions #23

Updated by Benni Mack almost 8 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #24

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF