Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default behavior of UserAuthnMethod#create_cookie should be an HttpOnly cookie #150

Closed
gobengo opened this issue Dec 9, 2015 · 3 comments
Closed

Default behavior of UserAuthnMethod#create_cookie should be an HttpOnly cookie #150

gobengo opened this issue Dec 9, 2015 · 3 comments
Labels
enhancement
Milestone
1.0

Comments

@gobengo
Copy link
Contributor

gobengo commented Dec 9, 2015

OWASP recommends that authn session cookies are HttpOnly unless otherwise needed.
https://www.owasp.org/index.php/HttpOnly

Do you think this is a good idea?
@rohe
Copy link
Collaborator

rohe commented Dec 9, 2015

9 dec 2015 kl. 19:59 skrev Benjamin Goering notifications@github.com:

OWASP recommends that authn session cookies are HttpOnly unless otherwise needed.
https://www.owasp.org/index.php/HttpOnly

Do you think this is a good idea?

Sounds reasonable !
I’ll put in on the to-do list.

— Roland
'Look, that's why there's rules, understand? So that you think before you break ’em.’ - Terry Pratchett

@gobengo
Copy link
Contributor Author

gobengo commented Dec 9, 2015

FWIW, I did this by adding the following to my UserAuthnMethod

import Cookie
def create_cookie(self, *args, **kwargs):
    """
    Like super().create_cookie, but adds HttpOnly
    https://www.owasp.org/index.php/HttpOnly
    """
    header, value = \
        super(PasswordAuthnModule, self).create_cookie(*args, **kwargs)
    cookie = Cookie.SimpleCookie(value)
    cookie[self.srv.cookie_name]['httponly'] = True
    http_only_value = str(cookie)
    return (header, http_only_value)

@decentral1se decentral1se added this to the P2: SHOULD milestone Feb 21, 2017
@tpazderka tpazderka modified the milestones: P2: SHOULD, 1.0 Jan 25, 2019
@tpazderka
Copy link
Collaborator

This has been already done on master.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
1.0
Development

No branches or pull requests
4 participants
@rohe @gobengo @decentral1se @tpazderka