Let Cookie support new HttpOnly property to prevent cross-site cookie stealing
------------------------------------------------------------------------------
Key: MODPYTHON-108
URL: http://issues.apache.org/jira/browse/MODPYTHON-108
Project: mod_python
Type: Improvement
Components: core
Versions: 3.2, 3.1.4, 3.3
Reporter: Deron Meranda
Priority: Minor
The Cookie.Cookie class does not allow the new "httponly" cookie property to be
set. It needs to be added to the valid slots on the cookie metaclass. Also
note that like the "secure" cookie attribute, it is simple a boolean flag
without any value.
The HttpOnly flag was invented by Microsoft but seeing widespread support as a
way to prevent cross-site scripting from stealing cookies using client-side
Javascript. This is especially important for security-sensitive cookies, such
as session keys.
The mod_python session object should also explicitly set the HttpOnly property
on the cookies it creates.
See also these related references:
1. http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
2.
http://search.cpan.org/~mschout/Apache-AuthCookie-3.08/lib/Apache2/AuthCookie.pm
3. https://bugzilla.mozilla.org/show_bug.cgi?id=178993
4.
http://www.linux.com/howtos/Secure-Programs-HOWTO/cross-site-malicious-content.shtml
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
