Pelle Braendgaard
2008-Sep-15 04:02 UTC
Please review my http_only patch for the CookieStore
Hi, In a security review of our application I realized that the the CookieStore cookie wasn''t using a HttpOnly cookie. I thought I had seen HttpOnly cookies somewhere in rails and found that Rails cookie support does support it, it was never brought forward to the actual CookieStore. http://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/1046-http-only-cookies-in-cookiestore While the cookie store is tamper proof. Abusive Javascript could still remove the session cookie or cause a TamperedWithCookie exception. This patch exposes a configuration parameter :session_http_only which defaults to true. This sets the HttpOnly flag on the cookie from the CookieStore. The patch itself is pretty simple and allows you to turn off HttpOnly if necessary. Pelle -- http://agree2.com - Reach Agreement! http://extraeagle.com - Solutions for the electronic Extra Legal world http://stakeventures.com - Bootstrapping blog --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---