[Seaside-dev] Session Cookie Security
Boris Popov
boris at deepcovelabs.com
Tue Mar 17 23:48:00 UTC 2009
I just put a quick hack together just to see this in action,
MySession>>sessionCookie
| plain secure |
plain := super sessionCookie.
secure := (WASecureCookie new)
key: plain key;
value: plain value;
path: plain path;
httponly: true;
secure: self application serverProtocol
= #https;
yourself.
plain expiry ifNotNil: [:exp | secure expiry: exp].
^secure.
DeepCoveLabs.Web defineClass: #WASecureCookie
superclass: #{Seaside.WACookie}
indexedType: #none
private: false
instanceVariableNames: 'secure httponly '
classInstanceVariableNames: ''
imports: ''
category: ''!
!DeepCoveLabs.Web.WASecureCookie methodsFor: 'accessing'!
httponly
^httponly ifNil: [httponly := true].!
httponly: anObject
httponly := anObject.!
secure
^secure ifNil: [secure := false].!
secure: anObject
secure := anObject.! !
!DeepCoveLabs.Web.WASecureCookie methodsFor: 'writing'!
writeOn: aStream
super writeOn: aStream.
self secure ifTrue: [aStream nextPutAll: '; secure'].
self httponly ifTrue: [aStream nextPutAll: '; HttpOnly'].! !
Of course, in my case Opentalk converts these cookies into it's own
entities, so I need to update it as well, but this is the basic idea.
Cheers!
-Boris
--
+1.604.689.0322
DeepCove Labs Ltd.
4th floor 595 Howe Street
Vancouver, Canada V6C 2T5
http://tinyurl.com/r7uw4
boris at deepcovelabs.com
CONFIDENTIALITY NOTICE
This email is intended only for the persons named in the message header.
Unless otherwise indicated, it contains information that is private and
confidential. If you have received it in error, please notify the sender
and delete the entire message including any attachments.
Thank you.
-----Original Message-----
From: seaside-dev-bounces at lists.squeakfoundation.org
[mailto:seaside-dev-bounces at lists.squeakfoundation.org] On Behalf Of
Boris Popov
Sent: Tuesday, March 17, 2009 3:40 PM
To: seaside-dev at lists.squeakfoundation.org
Subject: [Seaside-dev] Session Cookie Security
Hey,
Our auditors had recently completed comprehensive penetration testing of
our Seaside-based applications and one of the medium-priority
recommendations they had was to flag session cookies with 'HTTPOnly' and
'Secure' (latter only applies to secure sites, i.e. #serverProtocol =
#https). To be honest, I haven't had a chance to make a patch on 2.8
yet, simply because we don't use cookies for session tracking in
production right now, but I figured someone here might be interested
enough to pick this up anyway.
http://www.owasp.org/index.php/HTTPOnly
http://www.owasp.org/index.php/OWASP_AppSec_FAQ#What_are_these_secure_co
okies.3F
There's plenty more on Google about these two.
Cheers!
-Boris
--
+1.604.689.0322
DeepCove Labs Ltd.
4th floor 595 Howe Street
Vancouver, Canada V6C 2T5
http://tinyurl.com/r7uw4
boris at deepcovelabs.com
CONFIDENTIALITY NOTICE
This email is intended only for the persons named in the message header.
Unless otherwise indicated, it contains information that is private and
confidential. If you have received it in error, please notify the sender
and delete the entire message including any attachments.
Thank you.
_______________________________________________
seaside-dev mailing list
seaside-dev at lists.squeakfoundation.org
http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
More information about the seaside-dev
mailing list