Re: SQM-1.5 check security Cookie httponly flag

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for re-formatting.  :)

On 2018年04月25日 01:07, hlbox16@xxxxxxxxxx wrote:
> (#2 reformated, f*ck webmailer...)
> Hallo,
> 
> Our services must pass a scan test.
> Nikto say:
> 
> + GET Cookie SQMSESSID created without the httponly flag
> 
> I have not found a config option.
> 
> I found following function:
> 
> # vi ./functions/global.php
>     589 function sqsetcookie($sName, $sValue='deleted', $iExpire=0, $sPath="", $sDomain="",
>     590                      $bSecure=false, $bHttpOnly=true, $bReplace=false) {
> 
> But all calls use only 4 options (example):
>       663             sqsetcookie(session_name(), session_id(), 0, $base_uri);
> 
> I have tried following changes, but without success:
> 
> # diff ./functions/global.php.org ./functions/global.php
> 590c590
>                       $bSecure=true, $bHttpOnly=true, $bReplace=false) {
> 
> Howto create Cookie with httponly flag?

As you've seen, the code seems to be doing the right thing.  I just
looked in my browser console and all the SquirrelMail cookies are tagged
as HttpOnly.

> SquirrelMail version 1.5.1

You should upgrade to 1.5.2-svn, which may or may not fix the problem.

-- 
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users




[Index of Archives]     [Video For Linux]     [Yosemite News]     [Yosemite Photos]     [gtk]     [KDE]     [Cyrus SASL]     [Gimp on Windows]     [Steve's Art]     [Webcams]

  Powered by Linux