[Seaside-dev] Session Cookie Security

Boris Popov boris at deepcovelabs.com
Tue Mar 17 23:48:00 UTC 2009 

I just put a quick hack together just to see this in action,

MySession>>sessionCookie
	| plain secure |
	plain := super sessionCookie.
	secure := (WASecureCookie new)
				key: plain key;
				value: plain value;
				path: plain path;
				httponly: true;
				secure: self application serverProtocol
= #https;
				yourself.
	plain expiry ifNotNil: [:exp | secure expiry: exp].
	^secure. 

DeepCoveLabs.Web defineClass: #WASecureCookie
	superclass: #{Seaside.WACookie}
	indexedType: #none
	private: false
	instanceVariableNames: 'secure httponly '
	classInstanceVariableNames: ''
	imports: ''
	category: ''!

!DeepCoveLabs.Web.WASecureCookie methodsFor: 'accessing'!

httponly
	
	^httponly ifNil: [httponly := true].!

httponly: anObject
	
	httponly := anObject.!

secure
	
	^secure ifNil: [secure := false].!

secure: anObject
	
	secure := anObject.! !

!DeepCoveLabs.Web.WASecureCookie methodsFor: 'writing'!

writeOn: aStream
	
	super writeOn: aStream.
	self secure ifTrue: [aStream nextPutAll: '; secure'].
	self httponly ifTrue: [aStream nextPutAll: '; HttpOnly'].! !

Of course, in my case Opentalk converts these cookies into it's own
entities, so I need to update it as well, but this is the basic idea.

Cheers!

-Boris

-- 
+1.604.689.0322
DeepCove Labs Ltd.
4th floor 595 Howe Street
Vancouver, Canada V6C 2T5
http://tinyurl.com/r7uw4

boris at deepcovelabs.com

CONFIDENTIALITY NOTICE

This email is intended only for the persons named in the message header.
Unless otherwise indicated, it contains information that is private and
confidential. If you have received it in error, please notify the sender
and delete the entire message including any attachments.

Thank you.
-----Original Message-----
From: seaside-dev-bounces at lists.squeakfoundation.org
[mailto:seaside-dev-bounces at lists.squeakfoundation.org] On Behalf Of
Boris Popov
Sent: Tuesday, March 17, 2009 3:40 PM
To: seaside-dev at lists.squeakfoundation.org
Subject: [Seaside-dev] Session Cookie Security

Hey,

Our auditors had recently completed comprehensive penetration testing of
our Seaside-based applications and one of the medium-priority
recommendations they had was to flag session cookies with 'HTTPOnly' and
'Secure' (latter only applies to secure sites, i.e. #serverProtocol =
#https). To be honest, I haven't had a chance to make a patch on 2.8
yet, simply because we don't use cookies for session tracking in
production right now, but I figured someone here might be interested
enough to pick this up anyway.

http://www.owasp.org/index.php/HTTPOnly 
http://www.owasp.org/index.php/OWASP_AppSec_FAQ#What_are_these_secure_co
okies.3F

There's plenty more on Google about these two.

Cheers! 

-Boris

--
+1.604.689.0322
DeepCove Labs Ltd.
4th floor 595 Howe Street
Vancouver, Canada V6C 2T5
http://tinyurl.com/r7uw4

boris at deepcovelabs.com

CONFIDENTIALITY NOTICE

This email is intended only for the persons named in the message header.
Unless otherwise indicated, it contains information that is private and
confidential. If you have received it in error, please notify the sender
and delete the entire message including any attachments.

Thank you. 

_______________________________________________
seaside-dev mailing list
seaside-dev at lists.squeakfoundation.org
http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev

More information about the seaside-dev mailing list