[PATCH] Add support for HttpOnly session cookies

[juha.mustonen@…]

To improve the session cookie security, allow creating cookies with HttpOnly flag (see: ​http://en.wikipedia.org/wiki/HTTP_cookie#HttpOnly_cookie)

Patch included - it can be successfully applied on both 0.12.x and trunk.

[juha.mustonen@…]

Patch for adding httponly cookie support

[Remy Blank]

The Wikipedia article is funny:

This restriction mitigates but does not eliminate the threat of session cookie theft via Cross-site scripting.

"Mitigates but does not eliminate." So, is this really useful?

Still, thanks for the patch.

[py.hieroglyph@…]

Replying to rblank:

The Wikipedia article is funny:

This restriction mitigates but does not eliminate the threat of session cookie theft via Cross-site scripting.

"Mitigates but does not eliminate." So, is this really useful?

Surely "reduced" risk is better than otherwise? Is there any reason not to apply the attribute (applies only to session cookies anyway)? I would like to see this added, especially as the patch is relatively trivial.

[Remy Blank]

Having learned a bit more about HTTP-only cookies, I think this patch is a good idea. It should probably even default to True.

One thing I'm not sure yet, should the httponly attribute be set on all cookies, or only the auth cookie?

[Peter Suter]

I'm not sure if this matters, but ​apparently Python 2.5 did not support httponly. E.g. ​Django seems to jump through quite a few hoops because of this.

[Remy Blank]

Use httponly cookies by default.

[Remy Blank]

Good catch, thanks! No, I don't want to go to that much trouble. Let's just activate the feature with 2.6 or higher.

10453-httponly-cookies-r11008.patch​ enhances httponly_cookies.patch​ by limiting the feature to Python ≥ 2.6, setting the attribute on all cookies, and enabling it by default. This should be fairly safe, and only sites using plugins that require access to Trac cookies from JavaScript should disable the feature.

Thoughts?

[Christian Boos]

I wonder if there's any downside on having this setting enabled (performance or limitations for the ​TH:XmlRpcPlugin). If yes, they should be documented somewhere (at least mentioned briefly in the option doc). If there are no downsides, then perhaps we could just use this unconditionally and save the trouble for an additional option.

[Remy Blank]

As far as performance is concerned, I see only the additional few bytes for the httponly flag in the cookies, so an increase of at most ~40 bytes in the responses. I would say this is negligible. I don't see how it could affect the ​th:XmlRpcPlugin, as it only affects JavaScript code, and that plugin doesn't have any.

The only possible downside that I can see is if some plugin actually wants to access any of the cookies in JavaScript for legitimate reasons (I couldn't find any reasons off the top of my head, but there may be), then that plugin would be broken.

I agree that it would be desirable to get rid of the option, so I'll research on trac-hacks to see if I can find any plugins accessing cookies from JavaScript.

[Remy Blank]

Enable httponly cookie attribute unconditionally with Python ≥ 2.6.

[Remy Blank]

There are no .js or .html files in all of trac-hacks that reference any of the cookies defined by Trac (trac_auth, trac_session, trac_form_token). So I would say it's pretty safe to enable the httponly attribute. 10453-httponly-cookies-unconditional-r11008.patch​ does that.

Ok to apply?