Bug #11298 for Apache-AuthCookie: add support for the httpOnly cookie flag

Mon Jan 31 14:45:03 2005 Guest - Ticket created

Subject:

add support for the httpOnly cookie flag

Hi. Love the module. Came across this link today: http://www.webappsec.org/articles/013105.html Which says: ------- When a cookie is set and tagged with httpOnly, JavaScript is then unable to read the cookie value. Meaning, when a Cross-Site Scripting attack occurs, the hacker gets an empty value from the cookie and stealing it becomes a pointless exercise, thereby making a session hi-jacking attack via Cross-Site Scripting much harder. ------- Even though support for this flag isn't universal (yet), it would be nice to have an option to append the flag. In the meantime I guess I can override the cookie_string() method.

Fri Apr 15 00:36:40 2005 MSCHOUT [...] cpan.org - Correspondence added

[guest - Mon Jan 31 14:45:03 2005]: Show quoted text

> Hi. Love the module. Came across this link today: > http://www.webappsec.org/articles/013105.html > > Which says: > ------- > When a cookie is set and tagged with httpOnly, JavaScript is then > unable to read the cookie value. Meaning, when a Cross-Site > Scripting attack occurs, the hacker gets an empty value from the > cookie and stealing it becomes a pointless exercise, thereby making > a session hi-jacking attack via Cross-Site Scripting much harder. > ------- > > Even though support for this flag isn't universal (yet), it would be > nice to have an option to append the flag. In the meantime I guess > I can override the cookie_string() method.

Thanks for the suggestion. I have added this to the CVS tree for 3.07. In the upcoming 3.07 release you can turn this feature on with: PerlSetVar AuthNameHttpOnly On Regards, Michael Schout

Mon Apr 18 11:24:17 2005 MSCHOUT [...] cpan.org - Status changed from 'new' to 'resolved'