[Seaside-dev] Session Cookie Security
Philippe Marschall
philippe.marschall at gmail.com
Wed Mar 18 06:36:17 UTC 2009
And we set the discard attribute so the browser deletes it when closing the tab.
Cheers
Philippe
2009/3/18 Philippe Marschall <philippe.marschall at gmail.com>:
> I know it doesn't help you very much right now but both of them are in
> Seaside 2.9.
>
> Cheers
> Philippe
>
> 2009/3/17 Boris Popov <boris at deepcovelabs.com>:
>> Hey,
>>
>> Our auditors had recently completed comprehensive penetration testing of
>> our Seaside-based applications and one of the medium-priority
>> recommendations they had was to flag session cookies with 'HTTPOnly' and
>> 'Secure' (latter only applies to secure sites, i.e. #serverProtocol =
>> #https). To be honest, I haven't had a chance to make a patch on 2.8
>> yet, simply because we don't use cookies for session tracking in
>> production right now, but I figured someone here might be interested
>> enough to pick this up anyway.
>>
>> http://www.owasp.org/index.php/HTTPOnly
>> http://www.owasp.org/index.php/OWASP_AppSec_FAQ#What_are_these_secure_co
>> okies.3F
>>
>> There's plenty more on Google about these two.
>>
>> Cheers!
>>
>> -Boris
>>
>> --
>> +1.604.689.0322
>> DeepCove Labs Ltd.
>> 4th floor 595 Howe Street
>> Vancouver, Canada V6C 2T5
>> http://tinyurl.com/r7uw4
>>
>> boris at deepcovelabs.com
>>
>> CONFIDENTIALITY NOTICE
>>
>> This email is intended only for the persons named in the message header.
>> Unless otherwise indicated, it contains information that is private and
>> confidential. If you have received it in error, please notify the sender
>> and delete the entire message including any attachments.
>>
>> Thank you.
>>
>> _______________________________________________
>> seaside-dev mailing list
>> seaside-dev at lists.squeakfoundation.org
>> http://lists.squeakfoundation.org/mailman/listinfo/seaside-dev
>>
>
More information about the seaside-dev
mailing list