Thanks for re-formatting. :)
On 2018年04月25日 01:07, hlbox16@xxxxxxxxxx wrote:
> (#2 reformated, f*ck webmailer...)
> Hallo,
>
> Our services must pass a scan test.
> Nikto say:
>
> + GET Cookie SQMSESSID created without the httponly flag
>
> I have not found a config option.
>
> I found following function:
>
> # vi ./functions/global.php
> 589 function sqsetcookie($sName, $sValue='deleted', $iExpire=0, $sPath="", $sDomain="",
> 590 $bSecure=false, $bHttpOnly=true, $bReplace=false) {
>
> But all calls use only 4 options (example):
> 663 sqsetcookie(session_name(), session_id(), 0, $base_uri);
>
> I have tried following changes, but without success:
>
> # diff ./functions/global.php.org ./functions/global.php
> 590c590
> $bSecure=true, $bHttpOnly=true, $bReplace=false) {
>
> Howto create Cookie with httponly flag?
As you've seen, the code seems to be doing the right thing. I just
looked in my browser console and all the SquirrelMail cookies are tagged
as HttpOnly.
> SquirrelMail version 1.5.1
You should upgrade to 1.5.2-svn, which may or may not fix the problem.
--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
