durusmail: quixote-users: Patch for secure and httponly cookies
Patch for secure and httponly cookies
2009-04-11
Emmanuel Dreyfus
2009-04-12
Neil Schemenauer
2009-04-12
Emmanuel Dreyfus
Patch for secure and httponly cookies
Neil Schemenauer
2009-04-12
Emmanuel Dreyfus  wrote:
> It seems that Quixote 2.6 has no support for enforcing the secure and
> httponly flags for session cookies. This is important, as there are some
> documented attacks for stealing session cookies that are supposed to be
> secured over SSL, if they do not have the two flags set.

Is there any reason for having both SESSION_COOKIE_SECURE and
SESSION_COOKIE_HTTPONLY? Maybe SESSION_COOKIE_SECURE should imply
both.

> Here is a patch that adds two config options: session_cookie_secure and
> session_cookie_httponly:
> http://ftp.espci.fr/shadow/manu/securecookie.patch
>
> Any chance to get that committed?

Yes, sure.

  Neil
reply