You are viewing a plain text version of this content. The canonical link for it is here.

Posted to mod_python-dev@quetz.apache.org by "Graham Dumpleton (JIRA)" <ji...@apache.org> on 2006/04/27 08:46:04 UTC

[jira] Updated: (MODPYTHON-108) Let Cookie support new HttpOnly property to prevent cross-site cookie stealing

     [ http://issues.apache.org/jira/browse/MODPYTHON-108?page=all ]

Graham Dumpleton updated MODPYTHON-108:
---------------------------------------

    Attachment: MP108_20060427_grahamd_1.diff

Attached patch which should add the support for this. Someone else want to check for me as I am not an expert on cookies and don't have a browser which I know understands the option, nor do I know how one would conceivably test that it works as expected with that browser. Visually it seems to do the correct thing in terms of what is placed in the cookie in the headers.

> Let Cookie support new HttpOnly property to prevent cross-site cookie stealing
> ------------------------------------------------------------------------------
>
>          Key: MODPYTHON-108
>          URL: http://issues.apache.org/jira/browse/MODPYTHON-108
>      Project: mod_python
>         Type: Improvement

>   Components: core
>     Versions: 3.1.4, 3.2.7, 3.3
>     Reporter: Deron Meranda
>     Assignee: Jim Gallacher
>     Priority: Minor
>  Attachments: MP108_20060427_grahamd_1.diff
>
> The Cookie.Cookie class does not allow the new "httponly" cookie property to be set.  It needs to be added to the valid slots on the cookie metaclass.  Also note that like the "secure" cookie attribute, it is simple a boolean flag without any value.
> The HttpOnly flag was invented by Microsoft but seeing widespread support as a way to prevent cross-site scripting from stealing cookies using client-side Javascript.  This is especially important for security-sensitive cookies, such as session keys.
> The mod_python session object should also explicitly set the HttpOnly property on the cookies it creates.
> See also these related references:
> 1. http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
> 2. http://search.cpan.org/~mschout/Apache-AuthCookie-3.08/lib/Apache2/AuthCookie.pm
> 3. https://bugzilla.mozilla.org/show_bug.cgi?id=178993
> 4. http://www.linux.com/howtos/Secure-Programs-HOWTO/cross-site-malicious-content.shtml

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira