Werk #2392: Auth cookie is always using "httponly" flag

Component

User interface

Title

Auth cookie is always using "httponly" flag

Date

Jun 30, 2015

Level

Trivial Change

Class

Security Fix

Compatibility

Compatible - no manual interaction needed

Checkmk versions & editions

1.2.7i3 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.7i3 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.7i3 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.7i3 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.7i3 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.7i3 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.7i3 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.7i3 Not yet released	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.7i3	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

All newly issued authentication cookies have the flag "httponly" set now. This makes the cookie values inaccessible from scripts executed in the browser, e.g. from Javascript. This secures the cookie against some sorts of cookie stealing attempts.

See https://www.owasp.org/index.php/HttpOnly for details.

To the list of all Werks