Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make all cookies httpOnly #17270

Closed
ghost opened this issue Feb 25, 2021 · 1 comment · Fixed by #17271
Closed

Make all cookies httpOnly #17270

ghost opened this issue Feb 25, 2021 · 1 comment · Fixed by #17271
Assignees
@sgiehl
Labels
Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.

Comments

@ghost
Copy link

ghost commented Feb 25, 2021

Summary

The matomo_lang cookie is not served as httpOnly, which was flagged by a pentest of our app. For use in high security or regulated industries, this can be a dealbreaker.

Your Environment

  • Matomo Version: 4.1.1
  • PHP Version: 7.4.7
  • Server Operating System: Amazon Linux
  • Additionally installed plugins: none
@ghost ghost added the Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. label Feb 25, 2021
@sgiehl
Copy link
Member

sgiehl commented Feb 25, 2021

Hi @Jenrol
Thanks for creating the issue. I will create a PR to change that behavior.

@sgiehl sgiehl self-assigned this Feb 25, 2021
@sgiehl sgiehl mentioned this issue Feb 25, 2021
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sgiehl sgiehl

Labels
Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Set httpOnly flag for session language cookie matomo-org/matomo
1 participant
@sgiehl