Potential Vulnerability for BirdNetPi PHPSESSID Cookie

[Fryerchristopher]

I did a free scan of my BirdNetPI that I have made public (for my own use and not advertised but open to all) and it found two issues with the PHPSESSID cookie. Specifically, the scan recommends adding the httponly and secure flags to the cookie. Has anyone done this or do you know how? The cookie is in views.php I think. I am not much of a programmer so while I can find references for how to do this on the web, I don't want to break the website. I used https://pentest-tools.com/website-vulnerability-scanning for the test.

[Fryerchristopher]

Bump. Can anyone recommend a way to add the httponly and secure flags to the PHPSESSID cookie? Thank you.

[gerdesj]

This is within my remit! I use a system called Nessus at work to do IT vulnerability scanning and I occasionally point it at my Birdnet Pi. I generally do an external PCI/DSS type scan which is the Payment Card Industry Data Security Standard, which is a formal standard that people dealing with money over the internet have to conform to, so that seems a decent baseline to work from.

I should also do what is known as a credentialed scan - that's where you give Nessus a username and password and free reign over the filesystem to really look deeply.

The work you have done so far is absolutely the right thing to do. IT security is bloody hard and the more eyes the better. The particular issue you have identified rings true to me too, so I will take a look into it. If I recall correctly, it will be a couple of lines in the web server configuration.

[gerdesj]

I knew something was bothering me. You can only set the secure flag on a cookie if it is served over https. BNPi defaults to http. If you set the secure flag then no cookies will be served and that won't work very well. If you give it the right environment, caddy may automatically set up https itself using Lets Encrypt.

httponly is probably a good idea.