|
Duplicate |
Team A
[ZBX-13262] Cookies are stored without http-only attribute which makes them vulnerable against XSS attacks. Created: 2017 Jun 16 Updated: 2024 Apr 10 Resolved: 2017 Dec 27 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 2.2.21rc1, 3.0.14rc1, 3.4.5rc1, 4.0.0alpha1, 4.0 (plan) |
| Type: | Incident report | Priority: | Trivial |
| Reporter: | Miks Kronkalns | Assignee: | Miks Kronkalns |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Epic Link: | DEV-591 | ||||
| Team: | Team A | ||||
| Team: | Team A |
||||
| Sprint: | Sprint 11, Sprint 12, Sprint 13, Sprint 14, Sprint 15, Sprint 16, Sprint 17, Sprint 18, Sprint 19, Sprint 20, Sprint 21 | ||||
| Story Points: | 4 | ||||
| Description |
|
Customer wrote: We are a customer of Zabbix and during a recent test of our network we noticed that the Zabbix application is setting user's session cookies (PHPSESSID and zbx_sessionid) without the 'Http-only' attribute. Setting the Http-Only attribute helps protect the session cookies from being accessed and compromised via Cross-Site Scripting and Javascript attacks.I was not able to find any configurations to make such a change in Zabbix. Do you have any recommendations for me? Or is there a plan to include this configuration? |
| Comments |
| Comment by Miks Kronkalns [ 2017 Nov 23 ] |
|
Fixed:
|