Greetings, I got a request today to add the httpOnly [1]_ attribute to the session cookies that our apps return. We have a mixture of TG1, TG2, and Django apps with custom auth modules for each. I was able to add the httpOnly attribute to our TG2 and Django modules. The TG1 module is posing me some problems, however. It looks like adding more cookie attributes to the session cookie would be implemented by the VisitFilter class in TG1 (turbogears/visit/api.py). This doesn't appear pluggable in the same way that VisitManagers are. I could probably dive into direct CherryPy filter modification and make this work. However, if this is something that the TurboGears1 maintainers would like to add to their tree for the future, I'd be much happier simply cherry-picking the change for the Fedora and EPEL TurboGears-1.x packages.
Here's what the change would look like:
import Cookie
[...]
class VisitFilter(BaseFilter):
def __init__(self):
[...]
# The httponly bit tells compliant web browsers not to let
# JavaScript code read the cookie. Can prevent some XSS attacks.
self.cookie_httponly = get("visit.cookie.httponly", False)
def send_cookie(self, visit_key):
[...]
if self.cookie_httponly:
try:
cookies[self.cookie_name]['httponly'] = True
except Cookie.CookieError:
# Older versions of python's Cookie module do not support
# httponly
pass
This might also be something that the TG2 maintainers might like to look at
adding to the default repoze.who adapters.
What do you think?
.. [1]_:: https://www.owasp.org/index.php/HttpOnly#What_is_HttpOnly.3F
-Toshio
pgpBsljJShuur.pgp
Description: PGP signature
