Session cookie without 'HttpOnly' Flag in lirantal/daloradius


Reported on

Dec 20th 2022


All versions of daloRADIUS prior to the master branch transmit the session cookie (i.e. PHPSESSID) without setting the HttpOnly flag.

Proof of Concept

$ curl --head http://<hostname>/login.php
HTTP/1.1 200 OK
Date: Tue, 20 Dec 2022 14:11:38 GMT
Server: Apache
Set-Cookie: PHPSESSID=djogjur0vjgg0hd9jkdc27p2h1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=UTF-8


The problem could cause JavaScript (e.g., using document.cookies) to access the PHPSESSID cookie value on the browser side.


To prevent JavaScript from being able to access the cookie value, the cookie must be transmitted with the HttpOnly flag set.


When defining the function dalo_session_start(), the function session_set_cookie_params should be properly called, before calling the function session_start.

We are processing your report and will contact the lirantal/daloradius team within 24 hours. 20 days ago
Filippo submitted a
20 days ago
20 days ago


The [fix](] has already been merged in the master branch on (lirantal/daloradius](

We have contacted a member of the lirantal/daloradius team and are waiting to hear back 19 days ago
Liran Tal
19 days ago


Thank you Filippo. Appreciate the security bug report and the fix ūü§ó

A lirantal/daloradius maintainer has acknowledged this report 19 days ago
Liran Tal gave praise 19 days ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Liran Tal validated this vulnerability 19 days ago

Valid report and has been fixed in the latest master branch commit on repository

Filippo has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Liran Tal marked this as fixed in master with commit 687861 19 days ago
Filippo has been awarded the fix bounty
This vulnerability has been assigned a CVE
Liran Tal published this vulnerability 19 days ago
sessions.php#L28-L41 has been validated
19 days ago


You are welcome Liran :)

to join this conversation