default cookies to httpOnly #1449
Comments
|
Let's hear feedback from @josh? As long as this cookie would work on both |
|
the main point is that setting cookies to httponly, they can't be read by javascript (so we have a better protection against session hijacking).
btw, I said that it is 'kind of' backwards incompatible because the only thing I can image that could break is if someone is reading cookies with javascript intentionally in his app. |
|
The session is already httponly. So is there a strong reason to set all cookies httponly? |
|
I think that the question should be "why not?". |
|
Backwards incompat. |
|
Now that Rails 4 is on the horizon, and backwards incompatibilities can be expected, is this something that should be reconsidered? |
|
Rails 4 is a backwards-compatible (as much as possible) release, and feature requests don't belong on the issues tracker anyway. |
|
Seems like there should be a way to tell Rails to make all cookies httponly by default, right? Instead of having to remember to set the httponly flag each time you save a cookie. |
|
@joevandyk : Please talk about feature requests on the mailing list. It looks like there is still a topic about your proposal ; unfortunately, it hasn't been commented yet. |
|
Maybe we can get @xuchu to think about this one for his gsoc project |
|
@chancancode I can work on it when building the expiring signed cookie jar. |
For security reasons(session hijacking, for example), I think that it could be a good idea to default cookies to httpOnly: https://www.owasp.org/index.php/HttpOnly
(any reason for not doing that - apart of being 'kind of' backwards incompatible?)
related:
https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/http/response.rb#L136
https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/cookies.rb#L220
rack/rack#184
The text was updated successfully, but these errors were encountered: