You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Felix Meschberger (JIRA)" <ji...@apache.org> on 2010/09/11 16:31:32 UTC
[jira] Created: (SLING-1762) Improve security of form auth handler
cookies
Improve security of form auth handler cookies
---------------------------------------------
Key: SLING-1762
URL: https://issues.apache.org/jira/browse/SLING-1762
Project: Sling
Issue Type: Improvement
Components: Authentication
Affects Versions: Form Based Authentication 1.0.0
Reporter: Felix Meschberger
Assignee: Felix Meschberger
Fix For: Form Based Authentication 1.0.2
There is a nice feature of Cookie support in browsers today, which prevents cookies from being accessed in client side Javascript: "HttpOnly". This makes using cookies almost as save as HTTP Basic Authentication from the POV of accessing the data from client-side JavaScript.
The cookie(s) produced by the Form Authentication Handler should be protected using this attribute.
The drawback is, that the Set-Cookie response header must be created manually because the Servlet API Cookie class up to and including 2.5 does not support setting this attribute (Servlet API 3.0 Cookie supports it, but we don't support Servlet API 3.0)
See http://www.owasp.org/index.php/HttpOnly for full details and http://www.browserscope.org/?category=security for up to date browser support information.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (SLING-1762) Improve security of form auth handler
cookies
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger resolved SLING-1762.
--------------------------------------
Resolution: Fixed
Implemented support for HttpOnly cookies in Rev. 996543
> Improve security of form auth handler cookies
> ---------------------------------------------
>
> Key: SLING-1762
> URL: https://issues.apache.org/jira/browse/SLING-1762
> Project: Sling
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Form Based Authentication 1.0.0
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Form Based Authentication 1.0.2
>
>
> There is a nice feature of Cookie support in browsers today, which prevents cookies from being accessed in client side Javascript: "HttpOnly". This makes using cookies almost as save as HTTP Basic Authentication from the POV of accessing the data from client-side JavaScript.
> The cookie(s) produced by the Form Authentication Handler should be protected using this attribute.
> The drawback is, that the Set-Cookie response header must be created manually because the Servlet API Cookie class up to and including 2.5 does not support setting this attribute (Servlet API 3.0 Cookie supports it, but we don't support Servlet API 3.0)
> See http://www.owasp.org/index.php/HttpOnly for full details and http://www.browserscope.org/?category=security for up to date browser support information.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.