Module: check_mk Branch: master Commit: 86a8383d0d992d96a0053e1759500ea56b721da9 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=86a8383d0d992d… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Tue Jun 30 13:46:06 2015 +0200 #2392 SEC Auth cookie is always using "httponly" flag All newly issued authentication cookies have the flag "httponly" set now. This makes the cookie values inaccessible from scripts executed in the browser, e.g. from Javascript. This secures the cookie against some sorts of cookie stealing attempts. See https://www.owasp.org/index.php/HttpOnly for details. --- .werks/2392 | 15 +++++++++++++++ ChangeLog | 1 + web/htdocs/html_mod_python.py | 3 ++- 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/.werks/2392 b/.werks/2392 new file mode 100644 index 0000000..4b1a249 --- /dev/null +++ b/.werks/2392 @@ -0,0 +1,15 @@ +Title: Auth cookie is always using "httponly" flag +Level: 1 +Component: multisite +Class: security +Compatible: compat +State: unknown +Version: 1.2.7i3 +Date: 1435664667 + +All newly issued authentication cookies have the flag "httponly" +set now. This makes the cookie values inaccessible from scripts +executed in the browser, e.g. from Javascript. This secures the +cookie against some sorts of cookie stealing attempts. + +See https://www.owasp.org/index.php/HttpOnly for details. diff --git a/ChangeLog b/ChangeLog index ec63693..90509c6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,7 @@ * 2389 SEC: Fixed XSS using the _body_class parameter of views... * 2390 SEC: Fixed possible XSS issue on views... * 2391 SEC: Auth cookie is using "secure" flag when HTTPS request detected... + * 2392 SEC: Auth cookie is always using "httponly" flag... * 2314 FIX: Availability: fixed exception when grouping by host or service group * 2361 FIX: Fix exception for missing key 'title' in certain cases of older customized views * 2379 FIX: Plugin-Output: Fixed handling of URLs within output of check_http... diff --git a/web/htdocs/html_mod_python.py b/web/htdocs/html_mod_python.py index 1c72e2f..c15d54c 100644 --- a/web/htdocs/html_mod_python.py +++ b/web/htdocs/html_mod_python.py @@ -70,7 +70,8 @@ class html_mod_python(htmllib.html): return self.req.headers_in.get('X-Forwarded-Proto') == 'https' def set_cookie(self, varname, value, expires = None): - c = Cookie.Cookie(varname, value, path='/', secure=self.is_ssl_request()) + # httponly tells the browser not to make this cookie available to Javascript + c = Cookie.Cookie(varname, value, path='/', secure=self.is_ssl_request(), httponly=True) if expires is not None: c.expires = expires