[ http://issues.apache.org/jira/browse/MODPYTHON-108?page=all ] Work on MODPYTHON-108 started by Graham Dumpleton
> Let Cookie support new HttpOnly property to prevent cross-site cookie stealing > ------------------------------------------------------------------------------ > > Key: MODPYTHON-108 > URL: http://issues.apache.org/jira/browse/MODPYTHON-108 > Project: mod_python > Type: Improvement > Components: core > Versions: 3.2.7, 3.1.4, 3.3 > Reporter: Deron Meranda > Assignee: Graham Dumpleton > Priority: Minor > Attachments: MP108_20060427_grahamd_1.diff > > The Cookie.Cookie class does not allow the new "httponly" cookie property to > be set. It needs to be added to the valid slots on the cookie metaclass. > Also note that like the "secure" cookie attribute, it is simple a boolean > flag without any value. > The HttpOnly flag was invented by Microsoft but seeing widespread support as > a way to prevent cross-site scripting from stealing cookies using client-side > Javascript. This is especially important for security-sensitive cookies, > such as session keys. > The mod_python session object should also explicitly set the HttpOnly > property on the cookies it creates. > See also these related references: > 1. http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp > 2. > http://search.cpan.org/~mschout/Apache-AuthCookie-3.08/lib/Apache2/AuthCookie.pm > 3. https://bugzilla.mozilla.org/show_bug.cgi?id=178993 > 4. > http://www.linux.com/howtos/Secure-Programs-HOWTO/cross-site-malicious-content.shtml -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
