The other day I was reading about the Apache and Atlassian hack. Max wrote a really nice summary of how that attack could have been prevented. One of the points he raised was that they should have used HTTPONLY cookies.
I then realized that we might have the same problem with Loggly. After some traffic dumping of our Web sessions, I realized that Django didn’t support httponly cookies. A quick google search revealed that someone wrote a djangosnippet to add httponly cookies. I had to slightly rewrite it, so here is the code I am using:
<pre name=code class=python>class cookie_httponly: def process_response(self, request, response): scn = settings.SESSION_COOKIE_NAME or ‘sessionid’ if response.cookies.has_key(scn): response.cookies[scn][‘httponly’] = True return response
Don’t forget to add the middleware right before the SessionMiddleware. If you are using Python 2.6 or higher, you are done. Unfortunately, we are running Python 2.5, which does not support the httponly flag on cookies. A quick patch solved that problem as well:
<pre name=code class=bash>—- /usr/lib/python2.5/Cookie.py (revision 66233) +/usr/lib/python2.5/Cookie.py (working copy) @ -408,6 +408,9 @
For historical reasons, these attributes are also reserved:
# + # This is an extension from Microsoft: + # httponly + # This dictionary provides a mapping from the lowercase variant on the left to the appropriate traditional formatting on the right. @ -417,6 +420,7 @ “domain” : “Domain”, “max-age” : “Max-Age”, “secure” : “secure”, + “httponly” : “httponly”, “version” : “Version”, } @ -499,6 +503,8 @ RA) elif K == “secure”: RA) + elif K == “httponly”: + RA) else: RA)
Loggly is now more secure against XSS attacks!