Securing your Web Application with httponly cookies OR How Apache.org and Atlassian could have been secured
The other day I was reading about the Apache and Atlassian hack. Max wrote a really nice summary of how that attack could have been prevented. One of the points he raised was that they should have used HTTPONLY cookies.
I then realized that we might have the same problem with Loggly. After some traffic dumping of our Web sessions, I realized that Django didn’t support httponly cookies. A quick google search revealed that someone wrote a djangosnippet to add httponly cookies. I had to slightly rewrite it, so here is the code I am using:
<pre name=code class=python>class cookie_httponly:
def process_response(self, request, response):
scn = settings.SESSION_COOKIE_NAME or ‘sessionid’
if response.cookies.has_key(scn):
response.cookies[scn][‘httponly’] = True
return response
Don’t forget to add the middleware right before the SessionMiddleware. If you are using Python 2.6 or higher, you are done. Unfortunately, we are running Python 2.5, which does not support the httponly flag on cookies. A quick patch solved that problem as well:
<pre name=code class=bash>—- /usr/lib/python2.5/Cookie.py (revision 66233)
+ /usr/lib/python2.5/Cookie.py (working copy)
@ -408,6 +408,9 @
- For historical reasons, these attributes are also reserved:
-
expires
#
+ # This is an extension from Microsoft:
+ # httponly
+ # - This dictionary provides a mapping from the lowercase
- variant on the left to the appropriate traditional
-
formatting on the right.
@ -417,6 +420,7 @
“domain” : “Domain”,
“max-age” : “Max-Age”,
“secure” : “secure”,
+ “httponly” : “httponly”,
“version” : “Version”,
}
@ -499,6 +503,8 @
RA)
elif K == “secure”:
RA)
+ elif K == “httponly”:
+ RA)
else:
RA)
Loggly is now more secure against XSS attacks!
Rob 15 Jul, 2010 04:14pm
Your middleware code has a small bug. You need to exdent ‘return response’.
Hi Raffy!
Raffy 15 Jul, 2010 04:20pm
Thanks Rob. Fixed it.