Apache Mod-Python - Created: (MODPYTHON-108) Let Cookie support new HttpOnly property to prevent cross-sit

This is Interesting: Free IT Magazines  
Home > Archive > Apache Mod-Python > January 2006 > Created: (MODPYTHON-108) Let Cookie support new HttpOnly property to prevent cross-sit





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Created: (MODPYTHON-108) Let Cookie support new HttpOnly property to prevent cross-sit
Deron Meranda (JIRA)

2006-01-06, 2:47 am

Let Cookie support new HttpOnly property to prevent cross-site cookie stealing
------------------------------------------------------------------------------

Key: MODPYTHON-108
URL: http://issues.apache.org/jira/browse/MODPYTHON-108
Project: mod_python
Type: Improvement
Components: core
Versions: 3.2, 3.1.4, 3.3
Reporter: Deron Meranda
Priority: Minor


The Cookie.Cookie class does not allow the new "httponly" cookie property to be set. It needs to be added to the valid slots on the cookie metaclass. Also note that like the "secure" cookie attribute, it is simple a boolean flag without any value.

The HttpOnly flag was invented by Microsoft but seeing widespread support as a way to prevent cross-site scripting from stealing cookies using client-side Javascript. This is especially important for security-sensitive cookies, such as session keys.

The mod_python session object should also explicitly set the HttpOnly property on the cookies it creates.

See also these related references:
1. http://msdn.microsoft.com/workshop/...nly_cookies.asp
2. http://search.cpan.org/~mschout/Apa...2/AuthCookie.pm
3. https://bugzilla.mozilla.org/show_bug.cgi?id=178993
4. http://www.linux.com/howtos/Secure-...s-content.shtml


Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com