Evergreen

Audit Cookies for Security

Bug #1944587 reported by Jason Stephenson on 2021-09-22

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Evergreen	New	Undecided	Unassigned

Bug Description

Evergreen 3.5.3+

A recent security audit turned up HTTP cookies in Evergreen that are not flagged Secure nor HttpOnly:

* https://owasp.org/www-community/controls/SecureCookieAttribute
* https://owasp.org/www-community/HttpOnly

Cookies not flagged as "Secure" will be sent over non-HTTPS connections and may expose information to a potential man-in-the-middle attack.

Cookies not flagged HttpOnly can be accessed by JavaScript and may expose useful data in a cross-site scripting attack.

The cookies set by the Evergreen OPACs and staff clients should be reviewed to set both the Secure and HttpOnly flags where appropriate. Perhaps these flags should be set by default and only removed where necessary?

See original description

Tags:

Jason Stephenson (jstephenson) on 2021-09-22

description:

updated

Terran McCanna (tmccanna) on 2021-10-28

tags:

added: cleanup security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.