[Rt-commit] rt branch, 3.8/httponly-cookies, created. rt-3.8.10-13-ga740e98
Alex Vandiver
alexmv at bestpractical.com
Thu Jul 7 14:03:53 EDT 2011
The branch, 3.8/httponly-cookies has been created
at a740e98751ce11d3a5d80d3cd21cf2b83efacae4 (commit)
- Log -----------------------------------------------------------------
commit a740e98751ce11d3a5d80d3cd21cf2b83efacae4
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Thu Jul 7 14:02:09 2011 -0400
Prevent the session cookie from being read by client-side javascript
Setting HttpOnly prevents "document.cookie" in javascript from returning
the cookie in question (other cookies from the same host are
unaffected). Since the session-id of the request is never used by
client-side javascript directly, this prevents it from being read and
(and forwarded on) by malicious javascript. Obviously, this is only a
paper-thin layer of fallback security, as there are many other avenues
for exploitation that malicious javascript could take.
diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 6062585..2337bab 100755
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -657,10 +657,11 @@ sub InstantiateNewSession {
sub SendSessionCookie {
my $cookie = CGI::Cookie->new(
- -name => _SessionCookieName(),
- -value => $HTML::Mason::Commands::session{_session_id},
- -path => RT->Config->Get('WebPath'),
- -secure => ( RT->Config->Get('WebSecureCookies') ? 1 : 0 )
+ -name => _SessionCookieName(),
+ -value => $HTML::Mason::Commands::session{_session_id},
+ -path => RT->Config->Get('WebPath'),
+ -secure => ( RT->Config->Get('WebSecureCookies') ? 1 : 0 ),
+ -httponly => 1,
);
$HTML::Mason::Commands::r->err_headers_out->{'Set-Cookie'} = $cookie->as_string;
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list