Added protection against XSS cookie-theft attacks #12

Merged
merged 1 commit into from Apr 26, 2011

Projects

None yet

2 participants

@richmarr

I've added the HttpOnly attribute to session cookies in order to raise the barrier to XSS cookie theft. It seems like a zero-cost win so I though I'd share.

It's still a draft spec but already has significant browser support. Not sure of the exact status but the 2008 state is described on coding horror below:

http://tools.ietf.org/html/draft-ietf-httpstate-cookie-21
http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html

@caolan caolan added a commit that referenced this pull request Apr 26, 2011
@caolan Merged pull request #12 from richmarr/master.
Added protection against XSS cookie-theft attacks
a2e5c87
@caolan caolan merged commit a2e5c87 into caolan:master Apr 26, 2011
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment