[Seaside-dev] Session Cookie Security
Philippe Marschall
philippe.marschall at gmail.com
Wed Mar 18 06:15:18 UTC 2009
I know it doesn't help you very much right now but both of them are in
Seaside 2.9.
Cheers
Philippe
2009/3/17 Boris Popov <boris at deepcovelabs.com>:
> Hey,
>
> Our auditors had recently completed comprehensive penetration testing of
> our Seaside-based applications and one of the medium-priority
> recommendations they had was to flag session cookies with 'HTTPOnly' and
> 'Secure' (latter only applies to secure sites, i.e. #serverProtocol =
> #https). To be honest, I haven't had a chance to make a patch on 2.8
> yet, simply because we don't use cookies for session tracking in
> production right now, but I figured someone here might be interested
> enough to pick this up anyway.
>
> http://www.owasp.org/index.php/HTTPOnly
> http://www.owasp.org/index.php/OWASP_AppSec_FAQ#What_are_these_secure_co
> okies.3F
>
> There's plenty more on Google about these two.
>
> Cheers!
>
> -Boris
>
> --
> +1.604.689.0322
> DeepCove Labs Ltd.
> 4th floor 595 Howe Street
> Vancouver, Canada V6C 2T5
> http://tinyurl.com/r7uw4
>
> boris at deepcovelabs.com
>
> CONFIDENTIALITY NOTICE
>
> This email is intended only for the persons named in the message header.
> Unless otherwise indicated, it contains information that is private and
> confidential. If you have received it in error, please notify the sender
> and delete the entire message including any attachments.
>
> Thank you.
>
> _______________________________________________
> seaside-dev mailing list
> seaside-dev at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
>
More information about the seaside-dev
mailing list