durusmail: quixote-users: Patch for secure and httponly cookies
Patch for secure and httponly cookies
2009-04-11
Emmanuel Dreyfus
2009-04-12
Neil Schemenauer
2009-04-12
Emmanuel Dreyfus
Patch for secure and httponly cookies
Emmanuel Dreyfus
2009-04-11
Hello

It seems that Quixote 2.6 has no support for enforcing the secure and
httponly flags for session cookies. This is important, as there are some
documented attacks for stealing session cookies that are supposed to be
secured over SSL, if they do not have the two flags set.

Here is a patch that adds two config options: session_cookie_secure and
session_cookie_httponly:
http://ftp.espci.fr/shadow/manu/securecookie.patch

Any chance to get that committed?

--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org
reply