Stephen, On Fri, Sep 14, 2012 at 11:51 AM, Stephen Breen <breen.mach...@gmail.com> wrote: > I think it's difficult to identify this,
Agreed, but if we would live in a world where we could identify which cookies are for session handling and which for "other stuff"; would you say that the ideas expressed in the previous email are correct? > maybe they should all be logged as > informational. > > Plenty of applications use custom session tokens, it wouldn't be possible to > separate these from other types of cookie. > > On Fri, Sep 14, 2012 at 10:46 AM, Andres Riancho <andres.rian...@gmail.com> > wrote: >> >> List, >> >> Yesterday I found out that w3af doesn't have a plugin that >> verifies if cookies have the httponly flag or not; so I decided to >> write it (it was going to be a 2min task) and then I asked myself: "Do >> all cookies need to be httponly? What's the use case where a developer >> needs to access a cookie from within javascript?" >> >> I think I solved this, but I need your advice on this: >> * All session cookies (PHPSESSID, etc.) need to be httponly, >> since there is no use case for a developer to access the cookie from >> javascript; and if he's doing it... he's doing something wrong. >> >> * All other cookies (the ones that are used for tracking, >> language, etc.) don't need to be httponly, but it is recommended they >> are. There might be some cases where the JS developer wants to access >> the cookie that holds the language to show A or B; so that use case we >> can't flag as insecure nor incorrect. >> >> Ideas? >> >> Regards, >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 >> >> >> ------------------------------------------------------------------------------ >> Got visibility? >> Most devs has no idea what their production app looks like. >> Find out how fast your code is with AppDynamics Lite. >> http://ad.doubleclick.net/clk;262219671;13503038;y? >> http://info.appdynamics.com/FreeJavaPerformanceDownload.html >> _______________________________________________ >> W3af-develop mailing list >> W3af-develop@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/w3af-develop > > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
