[ http://issues.apache.org/jira/browse/MODPYTHON-108?page=all ]
Graham Dumpleton reassigned MODPYTHON-108:
------------------------------------------
Assign To: Graham Dumpleton (was: Jim Gallacher)
> Let Cookie support new HttpOnly property to prevent cross-site cookie stealing
> ------------------------------------------------------------------------------
>
> Key: MODPYTHON-108
> URL: http://issues.apache.org/jira/browse/MODPYTHON-108
> Project: mod_python
> Type: Improvement
> Components: core
> Versions: 3.2.7, 3.1.4, 3.3
> Reporter: Deron Meranda
> Assignee: Graham Dumpleton
> Priority: Minor
> Attachments: MP108_20060427_grahamd_1.diff
>
> The Cookie.Cookie class does not allow the new "httponly" cookie property to
> be set. It needs to be added to the valid slots on the cookie metaclass.
> Also note that like the "secure" cookie attribute, it is simple a boolean
> flag without any value.
> The HttpOnly flag was invented by Microsoft but seeing widespread support as
> a way to prevent cross-site scripting from stealing cookies using client-side
> Javascript. This is especially important for security-sensitive cookies,
> such as session keys.
> The mod_python session object should also explicitly set the HttpOnly
> property on the cookies it creates.
> See also these related references:
> 1. http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
> 2.
> http://search.cpan.org/~mschout/Apache-AuthCookie-3.08/lib/Apache2/AuthCookie.pm
> 3. https://bugzilla.mozilla.org/show_bug.cgi?id=178993
> 4.
> http://www.linux.com/howtos/Secure-Programs-HOWTO/cross-site-malicious-content.shtml
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
