You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Carsten Ziegeler (JIRA)" <ji...@apache.org> on 2010/12/20 15:55:06 UTC

[jira] Closed: (SLING-1762) Improve security of form auth handler cookies

     [ https://issues.apache.org/jira/browse/SLING-1762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Carsten Ziegeler closed SLING-1762.
-----------------------------------


> Improve security of form auth handler cookies
> ---------------------------------------------
>
>                 Key: SLING-1762
>                 URL: https://issues.apache.org/jira/browse/SLING-1762
>             Project: Sling
>          Issue Type: Improvement
>          Components: Authentication
>    Affects Versions: Form Based Authentication 1.0.0
>            Reporter: Felix Meschberger
>            Assignee: Felix Meschberger
>             Fix For: Form Based Authentication 1.0.2
>
>
> There is a nice feature of Cookie support in browsers today, which prevents cookies from being accessed in client side Javascript: "HttpOnly". This makes using cookies almost as save as HTTP Basic Authentication from the POV of accessing the data from client-side JavaScript.
> The cookie(s) produced by the Form Authentication Handler should be protected using this attribute.
> The drawback is, that the Set-Cookie response header must be created manually because the Servlet API Cookie class up to and including 2.5 does not support setting this attribute (Servlet API 3.0 Cookie supports it, but we don't support Servlet API 3.0)
> See http://www.owasp.org/index.php/HttpOnly for full details and http://www.browserscope.org/?category=security for up to date browser support information.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.