Session cookie without 'HttpOnly' Flag in lirantal/daloradius


Reported on

Dec 20th 2022


All versions of daloRADIUS prior to the master branch transmit the session cookie (i.e. PHPSESSID) without setting the HttpOnly flag.

Proof of Concept

$ curl --head http://<hostname>/login.php
HTTP/1.1 200 OK
Date: Tue, 20 Dec 2022 14:11:38 GMT
Server: Apache
Set-Cookie: PHPSESSID=djogjur0vjgg0hd9jkdc27p2h1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=UTF-8


The problem could cause JavaScript (e.g., using document.cookies) to access the PHPSESSID cookie value on the browser side.


To prevent JavaScript from being able to access the cookie value, the cookie must be transmitted with the HttpOnly flag set.


When defining the function dalo_session_start(), the function session_set_cookie_params should be properly called, before calling the function session_start.

We are processing your report and will contact the lirantal/daloradius team within 24 hours. a year ago
Filippo submitted a
a year ago
a year ago


The [fix](] has already been merged in the master branch on (lirantal/daloradius](

We have contacted a member of the lirantal/daloradius team and are waiting to hear back a year ago
Liran Tal
a year ago


Thank you Filippo. Appreciate the security bug report and the fix ūü§ó

A lirantal/daloradius maintainer has acknowledged this report a year ago
Liran Tal gave praise a year ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Liran Tal validated this vulnerability a year ago

Valid report and has been fixed in the latest master branch commit on repository

filippolauria has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Liran Tal marked this as fixed in master with commit 687861 a year ago
Filippo has been awarded the fix bounty
This vulnerability has now been published a year ago
sessions.php#L28-L41 has been validated
a year ago


You are welcome Liran :)

to join this conversation