MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > Session Cookie Without Secure Flag
Full Version: Session Cookie Without Secure Flag
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

michaelrevou

2015-01-08, 07:35 PM
Classification
Information
Resource
/
Risk
High


DISCUSSION

Vega has detected that a known session cookie may have been set without the secure flag.
IMPACT

Cookies can be exposed to network eavesdroppers.
Session cookies are authentication credentials; attackers who obtain them can get unauthorized access to affected web applications.
REMEDIATION

When creating the cookie in the code, set the secure flag to true.


How i fix this?

Nathan Malcolm

2015-01-08, 07:47 PM
MyBB, at least in the 1.8 series, sets the HttpOnly flag on cookies which authorize the user. I'm not too sure about 1.6 but I suspect it's the same.

However, I wouldn't bother scanning your forum with Vega. It's naive and can't compare to manual audits.

michaelrevou

2015-01-08, 07:51 PM
Thanks Nathan, what about settings i need to change since i use ssl, header("strict-transport-security: max-age=600"); what else i need set ?
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > Session Cookie Without Secure Flag