[Seaside-dev] Session Cookie Security
Boris Popov
boris at deepcovelabs.com
Tue Mar 17 22:39:57 UTC 2009
Hey,
Our auditors had recently completed comprehensive penetration testing of
our Seaside-based applications and one of the medium-priority
recommendations they had was to flag session cookies with 'HTTPOnly' and
'Secure' (latter only applies to secure sites, i.e. #serverProtocol =
#https). To be honest, I haven't had a chance to make a patch on 2.8
yet, simply because we don't use cookies for session tracking in
production right now, but I figured someone here might be interested
enough to pick this up anyway.
http://www.owasp.org/index.php/HTTPOnly
http://www.owasp.org/index.php/OWASP_AppSec_FAQ#What_are_these_secure_co
okies.3F
There's plenty more on Google about these two.
Cheers!
-Boris
--
+1.604.689.0322
DeepCove Labs Ltd.
4th floor 595 Howe Street
Vancouver, Canada V6C 2T5
http://tinyurl.com/r7uw4
boris at deepcovelabs.com
CONFIDENTIALITY NOTICE
This email is intended only for the persons named in the message header.
Unless otherwise indicated, it contains information that is private and
confidential. If you have received it in error, please notify the sender
and delete the entire message including any attachments.
Thank you.
More information about the seaside-dev
mailing list