Closed Bug 600394 Opened 15 years ago Closed 14 years ago

Use HTTPOnly Flag to Protect Cookie Values

Categories

(support.mozilla.org :: General, defect)

Product:
support.mozilla.org
Component:
General
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mcoates, Unassigned)

Details

(Whiteboard: [infrasec:cookie])

Issue None of the cookies are not using the HTTPOnly flag (most notable the token cookies and custcare_access). This flag serves as a secondary protection to prevent session hijacking in the case of XSS attacks. Steps to reproduce: 1. Login 2. Enter the following JavaScript into the URL javascript:document.write(document.cookie);document.close(); 3. All printed cookies are not using the HTTPOnly flag This will not necessarily show all of the cookies since some of the cookies may have been cleared. Inspecting the set-cookie headers within the HTTP Response for each cookie will show whether the value "HTTPONLY" has been set. Recommended Remediation Whenever a cookie is set also set the HTTPOnly flag. This will instruct the browser to not allow JavaScript access to the cookie.
Whiteboard: [infrasec:cookie]
Component: Customer Care → General
QA Contact: customer-care → general
I haven't read this whole ticket, but if I understand correctly, setting the HTTPOnly flag isn't currently supported by Django. http://code.djangoproject.com/ticket/3304 There might be a workaround, just pointing out that we'll have to find one ;)
I read through the ticket. It looks like support has been added for python and there are several patches or middleware examples to get it working in django. Whatever we decide to do, let's add that into our commonware.
There is an example of middleware that could be adapted for Python 2.6[1], though I'm not sure what license it's under. [1] http://code.google.com/p/pageforest/source/browse/appengine/utils/cookies.py
No longer blocks: 598765
(In reply to comment #3) > There is an example of middleware that could be adapted for Python 2.6[1], > though I'm not sure what license it's under. > > [1] > http://code.google.com/p/pageforest/source/browse/appengine/utils/cookies.py Looks like the project owner is the same that posted on the django ticket, so I'm guessing they're OK with people using it. I've sent an email to confirm. I still need to look at the code and understand how it works, but seems like we can do this for 2.2.5
I think you'll need to update that code for Python 2.6, and this should be part of commonware. I'll add you as a collaborator if you aren't already.
https://github.com/mozilla/kitsune/blob/master/settings.py#L588 This is fixed in the current version of Django. Confirmed that session cookies don't appear in document.cookie.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.