Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Added protection against XSS cookie-theft attacks #12

Merged
merged 1 commit into from

2 participants

@richmarr

I've added the HttpOnly attribute to session cookies in order to raise the barrier to XSS cookie theft. It seems like a zero-cost win so I though I'd share.

It's still a draft spec but already has significant browser support. Not sure of the exact status but the 2008 state is described on coding horror below:

http://tools.ietf.org/html/draft-ietf-httpstate-cookie-21
http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html

@caolan caolan referenced this pull request from a commit
@caolan Merged pull request #12 from richmarr/master.
Added protection against XSS cookie-theft attacks
a2e5c87
@caolan caolan merged commit a2e5c87 into caolan:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Apr 25, 2011
  1. @richmarr
This page is out of date. Refresh to see the latest.
Showing with 2 additions and 2 deletions.
  1. +2 −2 lib/cookie-sessions.js
View
4 lib/cookie-sessions.js
@@ -39,13 +39,13 @@ var exports = module.exports = function(settings){
if ("cookie" in req.headers) {
cookiestr = escape(s.session_key) + '='
+ '; expires=' + exports.expires(0)
- + '; path=/';
+ + '; path=/; HttpOnly';
}
} else {
cookiestr = escape(s.session_key) + '='
+ escape(exports.serialize(s.secret, req.session))
+ '; expires=' + exports.expires(s.timeout)
- + '; path=/';
+ + '; path=/; HttpOnly';
}
if (cookiestr !== undefined) {
Something went wrong with that request. Please try again.