Uploaded image for project: 'mod_python'
  1. mod_python
  2. MODPYTHON-108

Let Cookie support new HttpOnly property to prevent cross-site cookie stealing

Details

    • Improvement
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 3.1.4, 3.3.x, 3.2.7
    • 3.3.1
    • core
    • None

    Description

      The Cookie.Cookie class does not allow the new "httponly" cookie property to be set. It needs to be added to the valid slots on the cookie metaclass. Also note that like the "secure" cookie attribute, it is simple a boolean flag without any value.

      The HttpOnly flag was invented by Microsoft but seeing widespread support as a way to prevent cross-site scripting from stealing cookies using client-side Javascript. This is especially important for security-sensitive cookies, such as session keys.

      The mod_python session object should also explicitly set the HttpOnly property on the cookies it creates.

      See also these related references:
      1. http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
      2. http://search.cpan.org/~mschout/Apache-AuthCookie-3.08/lib/Apache2/AuthCookie.pm
      3. https://bugzilla.mozilla.org/show_bug.cgi?id=178993
      4. http://www.linux.com/howtos/Secure-Programs-HOWTO/cross-site-malicious-content.shtml

      Attachments

        1. MP108_20060427_grahamd_1.diff
          2 kB
          Graham Phillip Dumpleton

        Activity

          People

            grahamd Graham Phillip Dumpleton
            dmeranda Deron Meranda
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment