[Seaside-dev] Session Cookie Security
Boris Popov
boris at deepcovelabs.com
Mon Mar 23 20:52:37 UTC 2009
As a further comment to this thread, we actually found a way to do this
without changing a single line of code in our applications. Instead, a
single iRule on our load balancer analyzes all cookies that are passing
through and augments them with HttpOnly, Secure and Discard if they
don't already have those attributes.
http://tinyurl.com/57jqba
Cheers,
-Boris
--
+1.604.689.0322
DeepCove Labs Ltd.
4th floor 595 Howe Street
Vancouver, Canada V6C 2T5
http://tinyurl.com/r7uw4
boris at deepcovelabs.com
CONFIDENTIALITY NOTICE
This email is intended only for the persons named in the message header.
Unless otherwise indicated, it contains information that is private and
confidential. If you have received it in error, please notify the sender
and delete the entire message including any attachments.
Thank you.
-----Original Message-----
From: seaside-dev-bounces at lists.squeakfoundation.org
[mailto:seaside-dev-bounces at lists.squeakfoundation.org] On Behalf Of
Philippe Marschall
Sent: Tuesday, March 17, 2009 11:36 PM
To: Seaside - developer list
Subject: Re: [Seaside-dev] Session Cookie Security
And we set the discard attribute so the browser deletes it when closing
the tab.
Cheers
Philippe
2009/3/18 Philippe Marschall <philippe.marschall at gmail.com>:
> I know it doesn't help you very much right now but both of them are in
> Seaside 2.9.
>
> Cheers
> Philippe
>
> 2009/3/17 Boris Popov <boris at deepcovelabs.com>:
>> Hey,
>>
>> Our auditors had recently completed comprehensive penetration testing
>> of our Seaside-based applications and one of the medium-priority
>> recommendations they had was to flag session cookies with 'HTTPOnly'
>> and 'Secure' (latter only applies to secure sites, i.e.
>> #serverProtocol = #https). To be honest, I haven't had a chance to
>> make a patch on 2.8 yet, simply because we don't use cookies for
>> session tracking in production right now, but I figured someone here
>> might be interested enough to pick this up anyway.
>>
>> http://www.owasp.org/index.php/HTTPOnly
>> http://www.owasp.org/index.php/OWASP_AppSec_FAQ#What_are_these_secure
>> _co
>> okies.3F
>>
>> There's plenty more on Google about these two.
>>
>> Cheers!
>>
>> -Boris
>>
>> --
>> +1.604.689.0322
>> DeepCove Labs Ltd.
>> 4th floor 595 Howe Street
>> Vancouver, Canada V6C 2T5
>> http://tinyurl.com/r7uw4
>>
>> boris at deepcovelabs.com
>>
>> CONFIDENTIALITY NOTICE
>>
>> This email is intended only for the persons named in the message
header.
>> Unless otherwise indicated, it contains information that is private
>> and confidential. If you have received it in error, please notify the
>> sender and delete the entire message including any attachments.
>>
>> Thank you.
>>
>> _______________________________________________
>> seaside-dev mailing list
>> seaside-dev at lists.squeakfoundation.org
>> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
>>
>
_______________________________________________
seaside-dev mailing list
seaside-dev at lists.squeakfoundation.org
http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
More information about the seaside-dev
mailing list