Improve security of form auth handler cookies
---------------------------------------------
Key: SLING-1762
URL: https://issues.apache.org/jira/browse/SLING-1762
Project: Sling
Issue Type: Improvement
Components: Authentication
Affects Versions: Form Based Authentication 1.0.0
Reporter: Felix Meschberger
Assignee: Felix Meschberger
Fix For: Form Based Authentication 1.0.2
There is a nice feature of Cookie support in browsers today, which prevents
cookies from being accessed in client side Javascript: "HttpOnly". This makes
using cookies almost as save as HTTP Basic Authentication from the POV of
accessing the data from client-side JavaScript.
The cookie(s) produced by the Form Authentication Handler should be protected
using this attribute.
The drawback is, that the Set-Cookie response header must be created manually
because the Servlet API Cookie class up to and including 2.5 does not support
setting this attribute (Servlet API 3.0 Cookie supports it, but we don't
support Servlet API 3.0)
See http://www.owasp.org/index.php/HttpOnly for full details and
http://www.browserscope.org/?category=security for up to date browser support
information.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
