Ivan Gretsky Posted September 4 Share Posted September 4 Good day! I've got one of my sites security checked and this is the stuff (they say) I need to fix: Quote Cookie-based Session Management configuration issues 1. Cookie utilizing the "Domain" attribute - The "domain" attribute enables cookies to be shared across multiple subdomains. This poses a risk as when a subdomain is compromised, the attacker could potentially steal or manipulate cookies. Risk of cross-site attacks can be reduced by restricting the cookie to a specific domain. 1. "__Host-"prefix not set - The __Host prefix mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain. It is an additional hardening on top of ‘normal’ same-site cookies.The __Host prefix mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain. It is an additional hardening on top of ‘normal’ same-site cookies. I can see that "Domain" is set to current domain that makes it the same as it was missing, but those who check do not know that. Can I remove Domain attribute from the cookie? It seems like I can't do it via config. As far as I understood reading this, I need to add "__host-" to all the cookie names. I can rename "wire" to "__host-wire" in config, but is there a way to apply it all cookies set by PW automatically? Or maybe I do not need it for anything but session cookie. Can't get my head around it (( Thanks) Link to comment Share on other sites More sharing options...
BrendonKoz Posted September 5 Share Posted September 5 @Ivan Gretsky I wish I had answers to your questions, but I'm mostly replying here out of curiosity for myself: I'm a little confused here. Is the first item that they want you to remove the Domain attribute, or they want it added? If they want it (Domain attribute) added, according to MDN, the "__Host- prefix [...] must not have a domain specified", though in your linked example, a domain is specified. That definitely confuses me. (Maybe MDN is wrong?) As for how to modify those values in PW, I don't have an answer there. 😞 1 Link to comment Share on other sites More sharing options...
Ivan Gretsky Posted September 5 Author Share Posted September 5 Thanx for the answer, @BrendonKoz. I guess they want only one of those... I've read about the contradiction you mentioned but do not know the answer myself yet. 1 Link to comment Share on other sites More sharing options...
BrendonKoz Posted September 5 Share Posted September 5 Perhaps reaching back out to them for clarification might be needed. 😄 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now