Description
A CRITICAL security vulnerability exists in backend/server.js at lines 19–23. The express-session configuration omits all cookie security flags, leaving the session identifier unprotected against JavaScript access, CSRF, and plaintext interception.
Impact
Any XSS gadget in the application (or a compromised npm dependency) can read document.cookie and exfiltrate the session ID, achieving full account takeover without knowing the user's password. Without SameSite, cross-site requests automatically carry the session cookie, enabling CSRF attacks. Without Secure, the cookie is transmitted in cleartext over HTTP.
Steps to Reproduce
- Log in at
/api/auth/login and open DevTools → Application → Cookies.
- Observe
connect.sid has no HttpOnly, Secure, or SameSite flag set.
- In the browser console, run
document.cookie and observe the session ID is readable.
Expected Behaviour
The session cookie should be set with HttpOnly; Secure; SameSite=Strict so JavaScript cannot read it and it is only sent over HTTPS to the same-site origin.
Proposed Fix
Add cookie security flags to the express-session configuration and set NODE_ENV=production in the production Dockerfile.
// backend/server.js
app.use(session({
secret: process.env.SESSION_SECRET,
resave: false,
saveUninitialized: false,
cookie: {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: process.env.NODE_ENV === 'production' ? 'strict' : 'lax',
maxAge: 24 * 60 * 60 * 1000,
},
}));# backend/Dockerfile.prod
ENV NODE_ENV=production
Files affected: backend/server.js, backend/Dockerfile.prod
Labels
type:security level:intermediate gssoc:approved
Please assign this issue to me under GSSoC 2026. I will open a PR with a complete fix covering all affected files, proper test coverage, and verification steps.
Description
A CRITICAL security vulnerability exists in
backend/server.jsat lines 19–23. Theexpress-sessionconfiguration omits all cookie security flags, leaving the session identifier unprotected against JavaScript access, CSRF, and plaintext interception.Impact
Any XSS gadget in the application (or a compromised npm dependency) can read
document.cookieand exfiltrate the session ID, achieving full account takeover without knowing the user's password. WithoutSameSite, cross-site requests automatically carry the session cookie, enabling CSRF attacks. WithoutSecure, the cookie is transmitted in cleartext over HTTP.Steps to Reproduce
/api/auth/loginand open DevTools → Application → Cookies.connect.sidhas noHttpOnly,Secure, orSameSiteflag set.document.cookieand observe the session ID is readable.Expected Behaviour
The session cookie should be set with
HttpOnly; Secure; SameSite=Strictso JavaScript cannot read it and it is only sent over HTTPS to the same-site origin.Proposed Fix
Add cookie security flags to the
express-sessionconfiguration and setNODE_ENV=productionin the production Dockerfile.Files affected:
backend/server.js,backend/Dockerfile.prodLabels
type:securitylevel:intermediategssoc:approvedPlease assign this issue to me under GSSoC 2026. I will open a PR with a complete fix covering all affected files, proper test coverage, and verification steps.