Log in | Register
  1. Forum
  3. JFBConnect
  5. JFBConnect v9 for Joomla 3, Joomla 4 and Joomla 5
  7. "Insecure cookie setting: missing HttpOnly flag"

Topic-icon "Insecure cookie setting: missing HttpOnly flag"

Active Subscriptions:

None
2 years 5 months ago #67630 by crommie
Hi!

One of our clients has done a pentest and discovered JFBConnect sets a cookie without httponly flag. Is this something I can fix? The pentest report says:

Cookie Name URL Evidence
jfbconnect_permissions_granted

Set-Cookie:
jfbconnect_permissions_granted=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT;
Max-Age=0; path=/
 Details

Risk description:
A cookie has been set without the HttpOnly flag, which means that it can be accessed by the JavaScript code running inside the web page.
If an attacker manages to inject malicious JavaScript code on the page (e.g. by using an XSS attack) then the cookie will be accessible and it can be transmitted to another site. In case of a session cookie, this could lead to session hijacking.
The topic has been locked.
Support Specialist
2 years 5 months ago #67635 by alzander
The 'httpOnly' flag is a good security mechanism to prevent Javascript from reading cookies. However, the cookie mentioned cannot have this flag set. The JFBConnect Javascript functions use that cookie to determine what permissions the user has currently granted and that information is needed *when the Javascript login* functionality is enabled.

If an XSS issue were to occur on your site and the malicious party did read that cookie, I'm not sure what value it would have. It would simply inform the bad actor if the current user was logged in via Facebook and what permissions they had granted. There's no direct method to use that information for bad purposes, but more security is usually better.

There are many, many cookies usually generated on every site that do not have the httpOnly flag because it does restrict a lot of code functionality. As long as those cookies can't be used for 'evil' purposes, that's ok.

However, if you want to disable that cookie from being generated, you can set the "Show Login Credentials in Pop-up" setting in the Providers -> Facebook area to 'No'. That will redirect the user to Facebook.com for authentication instead of using the Javascript login mechanism.

The above will prevent the cookie being set and rid yourself of the pentest message. There should be no compatibility issues using the server redirect login method either.

I hope that helps, but if you need anything else, just let me know.

Thanks,
Alex
The topic has been locked.
Active Subscriptions:

None
2 years 5 months ago #67636 by crommie
OK thanks. I don't use the Facebook connect (I use Google) so I guess setting it to 'no' in the FB area would help and not do any harm, right?
The topic has been locked.
Support Specialist
2 years 5 months ago #67637 by alzander
Ahhh.. ok then, there's a different story there.

First, if you're not using FB authentication, then the cookie you posted above only gets set when a user has logged out of your site. When they log out, JFBConnect will always set the 'jfbconnect_permissions_granted' with a value of 'deleted' like you post above. In that case, the cookie is actually being deleted and has an expiration date in the past. A script (malicious or not) would have no value in this cookie. It provides no information.

Second, if you aren't using any Facebook functionality, you can disable the Facebook provider plugin altogether and the cookie above won't be set even on logout.

Thanks,
Alex
The topic has been locked.
Active Subscriptions:

None
2 years 5 months ago - 2 years 5 months ago #67638 by crommie
Yes! I've disabled the Facebook plugin and now the cookie doesn't show up anymore and the pentest comes out clear.
Last edit: 2 years 5 months ago by crommie.
The topic has been locked.
Support Specialist
2 years 5 months ago #67647 by alzander
Glad to hear it. Never fun to keep warnings around if they're possible to be rid of :)

Thanks for letting us know,
Alex
The topic has been locked.
  1. Forum
  3. JFBConnect
  5. JFBConnect v9 for Joomla 3, Joomla 4 and Joomla 5
  7. "Insecure cookie setting: missing HttpOnly flag"
From the Blog
Facebook | Twitter | LinkedIn | Blog RSS