securityCookie

Sponsored by KastGroup Security

Security Tools

Headers

HTML

JavaScript

Cookies

SRI Bot

securityUltimate

Scan your site now

Security Report Summary
E
Site:
https://www.linkedin.com/
Scanned Site(s):
1
IP Address:
185.63.145.1
Report Time:
17 Nov 2019 00:14:01 UTC
Checks:
Secure
Http Only
Same Site
Host Only
Path Only
Future Expire
Unsafe Generation
Warning:
Please have a look at the security issues / warnings in the report.
Security Issues
Secure
The secure flag guarantees a secure transmission of the cookie. Only if a secure HTTPS connection to the host is available, the cookie is sent along the request. The default value of this flag is false, so it has to be activated by using the following generation command (PHP):
setcookie($name, $value, $expire, $path, $domain, 1, $httponly);
  • JSESSIONID=ajax:3629471759124704194; Path=/; Domain=.www.linkedin.com[https://www.linkedin.com/]
  • lang=v=2&lang=en-us; Path=/; Domain=linkedin.com[https://www.linkedin.com/]
  • bcookie="v=2&bf8b7622-0234-446b-8cd8-630c2cb03620"; domain=.linkedin.com; Path=/; Expires=Tue, 16-Nov-2021 11:51:31 GMT[https://www.linkedin.com/]
  • lidc="b=VGST04:g=1751:u=1:i=1573949639:t=1574036039:s=AQESP1Hawb6ETBYLyr5lpQ7jImUBtnRV"; Expires=Mon, 18 Nov 2019 00:13:59 GMT; domain=.linkedin.com; Path=/[https://www.linkedin.com/]
Http Only
By using the HTTPOnly Flag, cookies can not be read / modified by embedded JavaScript. The default value of this flag is false, so it has to be activated by using the following generation command (PHP):
setcookie($name, $value, $expire, $path, $domain, $secure, 1);
  • JSESSIONID=ajax:3629471759124704194; Path=/; Domain=.www.linkedin.com[https://www.linkedin.com/]
  • lang=v=2&lang=en-us; Path=/; Domain=linkedin.com[https://www.linkedin.com/]
  • bcookie="v=2&bf8b7622-0234-446b-8cd8-630c2cb03620"; domain=.linkedin.com; Path=/; Expires=Tue, 16-Nov-2021 11:51:31 GMT[https://www.linkedin.com/]
  • lidc="b=VGST04:g=1751:u=1:i=1573949639:t=1574036039:s=AQESP1Hawb6ETBYLyr5lpQ7jImUBtnRV"; Expires=Mon, 18 Nov 2019 00:13:59 GMT; domain=.linkedin.com; Path=/[https://www.linkedin.com/]
Same Site
The SameSite flag prevents the browser from sending a cookie along with cross-site requests. It can be set to strict or lax, where strict means that the cookie will not be available after leaving a site (used on bank websites). Lax will just not send the cookie along with CSRF-prone request methods (eg. POST) so this is often a reasonable balance between security and usability. To integrate this flag using PHP, the attribute has to be added as a string after another attribute.
setcookie($name, $value, $expire, $path, $domain, $secure, $httponly."; samesite=lax");
  • JSESSIONID=ajax:3629471759124704194; Path=/; Domain=.www.linkedin.com[https://www.linkedin.com/]
  • lang=v=2&lang=en-us; Path=/; Domain=linkedin.com[https://www.linkedin.com/]
  • bcookie="v=2&bf8b7622-0234-446b-8cd8-630c2cb03620"; domain=.linkedin.com; Path=/; Expires=Tue, 16-Nov-2021 11:51:31 GMT[https://www.linkedin.com/]
  • bscookie="v=1&20191117001359ba66a4a8-5115-465e-8e41-370a02744a51AQER60AHaECbtRFvZl3mBKrwT1nB0Su1"; domain=.www.linkedin.com; Path=/; Secure; Expires=Tue, 16-Nov-2021 11:51:31 GMT; HttpOnly[https://www.linkedin.com/]
  • lidc="b=VGST04:g=1751:u=1:i=1573949639:t=1574036039:s=AQESP1Hawb6ETBYLyr5lpQ7jImUBtnRV"; Expires=Mon, 18 Nov 2019 00:13:59 GMT; domain=.linkedin.com; Path=/[https://www.linkedin.com/]
Warnings
Future Expire
Sensitive informations should never be stored in a cookie with the expiring date set to a time in the future. In case the web application has a vulnerability and the attacker has access to a users cookies, he could use the same stolen cookie session id until the time in the future is reached. By setting it to NULL, the cookie will be deleted after the user closes the browser.
setcookie($name, $value, NULL, $path, $domain, $secure, $httponly);
  • bcookie="v=2&bf8b7622-0234-446b-8cd8-630c2cb03620"; domain=.linkedin.com; Path=/; Expires=Tue, 16-Nov-2021 11:51:31 GMT[https://www.linkedin.com/]
  • bscookie="v=1&20191117001359ba66a4a8-5115-465e-8e41-370a02744a51AQER60AHaECbtRFvZl3mBKrwT1nB0Su1"; domain=.www.linkedin.com; Path=/; Secure; Expires=Tue, 16-Nov-2021 11:51:31 GMT; HttpOnly[https://www.linkedin.com/]
  • lidc="b=VGST04:g=1751:u=1:i=1573949639:t=1574036039:s=AQESP1Hawb6ETBYLyr5lpQ7jImUBtnRV"; Expires=Mon, 18 Nov 2019 00:13:59 GMT; domain=.linkedin.com; Path=/[https://www.linkedin.com/]
Unsafe Generation
Generating a cookie using JavaScript sets the HTTPOnly flag automatically to false, since there is no way of creating a HTTPOnly-flag cookie on client side. To generate HTTPOnly cookies, use a backend-API, which will create a cookie at serverside.
  • document.cookie=t),location.reload()}}getLangCookieString(t){let e=null;if(null!==t){const s=t.toLocaleLowerCase().replace("_","-"),i=getDomain(docume...[https://static-exp1.licdn.com/sc/h/byr66ii524708ojyfzjgt0hfe]
Additional Information
Secure
The secure flag guarantees a secure transmission of the cookie. Only if a secure HTTPS connection to the host is available, the cookie is sent along the request. The default value of this flag is false, so it has to be activated by using the following generation command (PHP):
setcookie($name, $value, $expire, $path, $domain, 1, $httponly);
Http Only
By using the HTTPOnly Flag, cookies can not be read / modified by embedded JavaScript. The default value of this flag is false, so it has to be activated by using the following generation command (PHP):
setcookie($name, $value, $expire, $path, $domain, $secure, 1);
Same Site
The SameSite flag prevents the browser from sending a cookie along with cross-site requests. It can be set to strict or lax, where strict means that the cookie will not be available after leaving a site (used on bank websites). Lax will just not send the cookie along with CSRF-prone request methods (eg. POST) so this is often a reasonable balance between security and usability. To integrate this flag using PHP, the attribute has to be added as a string after another attribute.
setcookie($name, $value, $expire, $path, $domain, $secure, $httponly."; samesite=lax");
Host Only
By setting the domain attribute, it can be specified where on a host the cookie should be accessed. If it is set to loosely, it is possible that other potentially vulnerable servers under the same host could receive the cookie.
setcookie($name, $value, $expire, $path, "app.example.com", $secure, $httponly);
Path Only
Use the path attribute of a cookie to specify as tight as possible, where on a website the cookie is allowed to access. In case this value is set to loosely, it can be vulnerable to less secure applications on the same server.
setcookie($name, $value, $expire, "/myapp/", $domain, $secure, $httponly);
Future Expire
Sensitive informations should never be stored in a cookie with the expiring date set to a time in the future. In case the web application has a vulnerability and the attacker has access to a users cookies, he could use the same stolen cookie session id until the time in the future is reached. By setting it to NULL, the cookie will be deleted after the user closes the browser.
setcookie($name, $value, NULL, $path, $domain, $secure, $httponly);
Unsafe Generation
Generating a cookie using JavaScript sets the HTTPOnly flag automatically to false, since there is no way of creating a HTTPOnly-flag cookie on client side. To generate HTTPOnly cookies, use a backend-API, which will create a cookie at serverside.
Scanned URL(s)
LinkedIn: Log In or Sign Up
https://www.linkedin.com/