Audit Cookies for Security
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
New
|
Undecided
|
Unassigned |
Bug Description
Evergreen 3.5.3+
A recent security audit turned up HTTP cookies in Evergreen that are not flagged Secure nor HttpOnly:
* https:/
* https:/
Cookies not flagged as "Secure" will be sent over non-HTTPS connections and may expose information to a potential man-in-the-middle attack.
Cookies not flagged HttpOnly can be accessed by JavaScript and may expose useful data in a cross-site scripting attack.
The cookies set by the Evergreen OPACs and staff clients should be reviewed to set both the Secure and HttpOnly flags where appropriate. Perhaps these flags should be set by default and only removed where necessary?