[Rt-commit] rt branch, 3.8/httponly-cookies, created. rt-3.8.10-13-ga740e98

Alex Vandiver alexmv at bestpractical.com
Thu Jul 7 14:03:53 EDT 2011


The branch, 3.8/httponly-cookies has been created
        at  a740e98751ce11d3a5d80d3cd21cf2b83efacae4 (commit)

- Log -----------------------------------------------------------------
commit a740e98751ce11d3a5d80d3cd21cf2b83efacae4
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Thu Jul 7 14:02:09 2011 -0400

    Prevent the session cookie from being read by client-side javascript
    
    Setting HttpOnly prevents "document.cookie" in javascript from returning
    the cookie in question (other cookies from the same host are
    unaffected).  Since the session-id of the request is never used by
    client-side javascript directly, this prevents it from being read and
    (and forwarded on) by malicious javascript.  Obviously, this is only a
    paper-thin layer of fallback security, as there are many other avenues
    for exploitation that malicious javascript could take.

diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 6062585..2337bab 100755
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -657,10 +657,11 @@ sub InstantiateNewSession {
 
 sub SendSessionCookie {
     my $cookie = CGI::Cookie->new(
-        -name   => _SessionCookieName(),
-        -value  => $HTML::Mason::Commands::session{_session_id},
-        -path   => RT->Config->Get('WebPath'),
-        -secure => ( RT->Config->Get('WebSecureCookies') ? 1 : 0 )
+        -name     => _SessionCookieName(),
+        -value    => $HTML::Mason::Commands::session{_session_id},
+        -path     => RT->Config->Get('WebPath'),
+        -secure   => ( RT->Config->Get('WebSecureCookies') ? 1 : 0 ),
+        -httponly => 1,
     );
 
     $HTML::Mason::Commands::r->err_headers_out->{'Set-Cookie'} = $cookie->as_string;

-----------------------------------------------------------------------


More information about the Rt-commit mailing list