Securing your Web Application with httponly cookies OR How Apache.org and Atlassian could have been secured

 

The other day I was reading about the Apache and Atlassian hack. Max wrote a really nice summary of how that attack could have been prevented. One of the points he raised was that they should have used HTTPONLY cookies.

I then realized that we might have the same problem with Loggly. After some traffic dumping of our Web sessions, I realized that Django didn’t support httponly cookies. A quick google search revealed that someone wrote a djangosnippet to add httponly cookies. I had to slightly rewrite it, so here is the code I am using:

<pre name=code class=python>class cookie_httponly:
def process_response(self, request, response):
scn = settings.SESSION_COOKIE_NAME or ‘sessionid’
if response.cookies.has_key(scn):
response.cookies[scn][‘httponly’] = True
return response

Don’t forget to add the middleware right before the SessionMiddleware. If you are using Python 2.6 or higher, you are done. Unfortunately, we are running Python 2.5, which does not support the httponly flag on cookies. A quick patch solved that problem as well:

<pre name=code class=bash>—- /usr/lib/python2.5/Cookie.py (revision 66233)
+/usr/lib/python2.5/Cookie.py (working copy)
@ -408,6 +408,9 @

For historical reasons, these attributes are also reserved:

    #
    + # This is an extension from Microsoft:
    + # httponly
    + #
    This dictionary provides a mapping from the lowercase
    variant on the left to the appropriate traditional
    formatting on the right.
    @ -417,6 +420,7 @
    “domain” : “Domain”,
    “max-age” : “Max-Age”,
    “secure” : “secure”,
    + “httponly” : “httponly”,
    “version” : “Version”,
    }

@ -499,6 +503,8 @
RA)
elif K == “secure”:
RA)
+ elif K == “httponly”:
+ RA)
else:
RA)

Loggly is now more secure against XSS attacks!


Share Your Thoughts

Top