Issue Details (XML | Word | Printable)

Key: MODPYTHON-108
Type: Improvement Improvement
Status: Closed Closed
Resolution: Fixed
Priority: Minor Minor
Assignee: Graham Dumpleton
Reporter: Deron Meranda
Votes: 0
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
mod_python

Let Cookie support new HttpOnly property to prevent cross-site cookie stealing

Created: 06/Jan/06 03:32 PM   Updated: 05/Apr/07 11:13 AM
Return to search
Component/s: core
Affects Version/s: 3.1.4, 3.3.x, 3.2.7
Fix Version/s: 3.3.1

Time Tracking:
Not Specified

File Attachments:
  File Name Date Attached Attached By Size
File Licensed for inclusion in ASF works MP108_20060427_grahamd_1.diff 2006-04-27 01:45 PM Graham Dumpleton 2 kB

Resolution Date: 30/Apr/06 05:39 PM


 Description  « Hide
The Cookie.Cookie class does not allow the new "httponly" cookie property to be set. It needs to be added to the valid slots on the cookie metaclass. Also note that like the "secure" cookie attribute, it is simple a boolean flag without any value.

The HttpOnly flag was invented by Microsoft but seeing widespread support as a way to prevent cross-site scripting from stealing cookies using client-side Javascript. This is especially important for security-sensitive cookies, such as session keys.

The mod_python session object should also explicitly set the HttpOnly property on the cookies it creates.

See also these related references:
1. http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
2. http://search.cpan.org/~mschout/Apache-AuthCookie-3.08/lib/Apache2/AuthCookie.pm
3. https://bugzilla.mozilla.org/show_bug.cgi?id=178993
4. http://www.linux.com/howtos/Secure-Programs-HOWTO/cross-site-malicious-content.shtml

 All   Comments   Work Log   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Graham Dumpleton added a comment - 27/Apr/06 01:45 PM
Attached patch which should add the support for this. Someone else want to check for me as I am not an expert on cookies and don't have a browser which I know understands the option, nor do I know how one would conceivably test that it works as expected with that browser. Visually it seems to do the correct thing in terms of what is placed in the cookie in the headers.

[ Permlink | « Hide ]
Graham Dumpleton added a comment - 30/Apr/06 05:39 PM
At the technical level, it appears to mark up cookie as it is meant to. Thus change has been committed and marked resolved. It really needs someone who understands how this thing is used to actually put it into practice and come back and say that it does as advertised in preventing cross site scripting attacks.


Powered by a free Atlassian JIRA open source license for Apache Software Foundation. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators