Closed Bug 702590 Opened 14 years ago Closed 12 years ago

HTTPOnly flag on sessionid cookie is cleared on logout

Categories

(addons.mozilla.org Graveyard :: Developer Pages, defect)

Product:
addons.mozilla.org Graveyard
Component:
Developer Pages
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME
Milestone:
2014-04

People

(Reporter: mgoodwin, Unassigned)

References

(
URL
)

Details

(Keywords: sec-low, Whiteboard: [infrasec:cookie][ws:low][wh-6950959][wh-6963265][wh-6964915][wh-7358612])

Issue: Logout overwrites the sessionid cookie on AMO, but HTTPOnly flag is cleared. Steps to reproduce: 1) log in to AMO 2) log out 3) observe server response lacks HTTPOnly flag Resolution: Set HTTPOnly flag
Whiteboard: [infrasec:cookie][ws:low][wh-6950959][wh-6963265] → [infrasec:cookie][ws:low][wh-6950959][wh-6963265][wh-6964915]
Whiteboard: [infrasec:cookie][ws:low][wh-6950959][wh-6963265][wh-6964915] → [infrasec:cookie][ws:low][wh-6950959][wh-6963265][wh-6964915][wh-7358612]
I cannot reproduce. Here is what I have on the logout request HTTP headers: Set-Cookie sessionid="e30:1WXW9N:9HgT35FZE9Bn0rdjZIPl9KGmjbo"; Domain=.addons.mozilla.org; httponly; Path=/; secure The Django 1.4 version has turned the HttpOnly flag by defaut on session cookies: https://docs.djangoproject.com/en/dev/releases/1.4/#session-cookies-now-have-the-httponly-flag-by-default so maybe it has been fixed by this when updating Django since this ticket has been created.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Target Milestone: --- → 2014-04
Group: client-services-security
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.