search

Rovak / wallet-web

Tron Protocol Wallet
https://tronscan.org
GNU Lesser General Public License v3.0
55 stars 29 forks source link

[Bounty] [Security] SSL cookie without secure flag set #87

Closed funoverip closed 6 years ago

funoverip commented 6 years ago

Most session cookies issued by the Web app doesn't enforce "Secure Flag" attribute.

Current Result:

Set-Cookie: SERVERID=7baf202017eea6038c2684d445bae08b|1523948063|1523948063;Path=/

Expected result:

Set-Cookie: SERVERID=7baf202017eea6038c2684d445bae08b|1523948063|1523948063;Path=/;secure

Or if applicable:

Set-Cookie: SERVERID=7baf202017eea6038c2684d445bae08b|1523948063|1523948063;Path=/;secure;HttpOnly

Rovak commented 6 years ago

tronscan.org currently doesn't use any cookies, everything is stored in local storage.

The server runs behind a load balancer which most likely uses the cookie for sticky sessions.