Skip Menu |

This queue is for tickets about the Apache-AuthCookie CPAN distribution.

Report information
The Basics
Id: 11298
Status: resolved
Priority: 0/
Queue: Apache-AuthCookie

People
Owner: Nobody in particular
Requestors: modperlpants [...] yahoo.com
Cc:
AdminCc:

Bug Information
Severity: Wishlist
Broken in: (no value)
Fixed in: (no value)



Subject: add support for the httpOnly cookie flag
Hi. Love the module. Came across this link today: http://www.webappsec.org/articles/013105.html Which says: ------- When a cookie is set and tagged with httpOnly, JavaScript is then unable to read the cookie value. Meaning, when a Cross-Site Scripting attack occurs, the hacker gets an empty value from the cookie and stealing it becomes a pointless exercise, thereby making a session hi-jacking attack via Cross-Site Scripting much harder. ------- Even though support for this flag isn't universal (yet), it would be nice to have an option to append the flag. In the meantime I guess I can override the cookie_string() method.
[guest - Mon Jan 31 14:45:03 2005]: Show quoted text
> Hi. Love the module. Came across this link today: > http://www.webappsec.org/articles/013105.html > > Which says: > ------- > When a cookie is set and tagged with httpOnly, JavaScript is then > unable to read the cookie value. Meaning, when a Cross-Site > Scripting attack occurs, the hacker gets an empty value from the > cookie and stealing it becomes a pointless exercise, thereby making > a session hi-jacking attack via Cross-Site Scripting much harder. > ------- > > Even though support for this flag isn't universal (yet), it would be > nice to have an option to append the flag. In the meantime I guess > I can override the cookie_string() method.
Thanks for the suggestion. I have added this to the CVS tree for 3.07. In the upcoming 3.07 release you can turn this feature on with: PerlSetVar AuthNameHttpOnly On Regards, Michael Schout