Summary
The SameSite attribute of the PHPSESSID cookie is not always set.
Details
The SameSite attribute is set in php/locale.php:
|
session_set_cookie_params(['samesite' => 'Strict']); |
|
session_start(); |
It is included on most pages, but not all pages. And sessions are started without session_set_cookie_params(['samesite' => 'Strict']) in multiple places:
|
<?php |
|
|
|
// https://developers.google.com/kml/documentation/kmlreference |
|
|
|
session_start(); |
If one of these pages is the first page visited by a user in a session, the user will receive a cookie without the SameSite attribute.
PoC
Visit https://openflights.org/php/logout.php without cookies to get a cookie with no SameSite attribute.
Impact
Normally users won't visit these unsafe pages before visiting other pages in a session, but an attacker may fool the victim into visiting one of these pages as the first page and then CSRF attacks may follow.
Summary
The SameSite attribute of the
PHPSESSIDcookie is not always set.Details
The
SameSiteattribute is set inphp/locale.php:openflights/php/locale.php
Lines 3 to 4 in f53e452
It is included on most pages, but not all pages. And sessions are started without
session_set_cookie_params(['samesite' => 'Strict'])in multiple places:openflights/php/countries.php
Lines 1 to 3 in f53e452
openflights/php/flights.php
Lines 1 to 3 in f53e452
openflights/php/kml.php
Lines 1 to 5 in f53e452
openflights/php/logout.php
Lines 1 to 3 in f53e452
If one of these pages is the first page visited by a user in a session, the user will receive a cookie without the SameSite attribute.
PoC
Visit https://openflights.org/php/logout.php without cookies to get a cookie with no SameSite attribute.
Impact
Normally users won't visit these unsafe pages before visiting other pages in a session, but an attacker may fool the victim into visiting one of these pages as the first page and then CSRF attacks may follow.