Re: SQM-1.5 check security Cookie httponly flag

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Thanks for re-formatting.  :)

On 2018年04月25日 01:07, hlbox16@xxxxxxxxxx wrote:
> (#2 reformated, f*ck webmailer...)
> Hallo,
> Our services must pass a scan test.
> Nikto say:
> + GET Cookie SQMSESSID created without the httponly flag
> I have not found a config option.
> I found following function:
> # vi ./functions/global.php
>     589 function sqsetcookie($sName, $sValue='deleted', $iExpire=0, $sPath="", $sDomain="",
>     590                      $bSecure=false, $bHttpOnly=true, $bReplace=false) {
> But all calls use only 4 options (example):
>       663             sqsetcookie(session_name(), session_id(), 0, $base_uri);
> I have tried following changes, but without success:
> # diff ./functions/ ./functions/global.php
> 590c590
>                       $bSecure=true, $bHttpOnly=true, $bReplace=false) {
> Howto create Cookie with httponly flag?

As you've seen, the code seems to be doing the right thing.  I just
looked in my browser console and all the SquirrelMail cookies are tagged
as HttpOnly.

> SquirrelMail version 1.5.1

You should upgrade to 1.5.2-svn, which may or may not fix the problem.

Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!

Check out the vibrant tech community on one of the world's most
engaging tech sites,!
squirrelmail-users mailing list
Posting guidelines:
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives:
List info (subscribe/unsubscribe/change options):

[Index of Archives]     [Video For Linux]     [Yosemite News]     [Yosemite Photos]     [gtk]     [KDE]     [Cyrus SASL]     [Gimp on Windows]     [Steve's Art]     [Webcams]

  Powered by Linux