Set HttpOnly for session cookie due to improvement of security - Githubissues

perwendel / spark

A simple expressive web framework for java. Spark has a kotlin DSL https://github.com/perwendel/spark-kotlin

Apache License 2.0

9.64k stars 1.56k forks source link

Set HttpOnly for session cookie due to improvement of security #1027

Closed asolntsev closed 6 years ago

asolntsev commented 6 years ago

This is an improvement for PR https://github.com/perwendel/spark/pull/965 from @M-Razavi

In this PR, I

I made it possible to disable HttpOnly flag (just in case, probably somebody will need it).
Added unit-tests.

asolntsev commented 6 years ago

@perwendel @tipsy @jakaarl @joatmon @M-Razavi ping

asolntsev commented 6 years ago

@perwendel PING!

asolntsev commented 6 years ago

@perwendel Hello! Is anybody alive?

perwendel commented 6 years ago

@asolntsev Hey, two questions:

does this change any default behavior? Is httpOnly 'true' by default? (I suppose it's the case)
how does this relate to the Response.cookie where httpOnly can be set on individual cookies?

asolntsev commented 6 years ago

@perwendel

Yes, this will change the default behaviour. And that's the point. We must change the default behaviour! Current default behaviour creates a potential security holes in applications around the World. Currently httpOnly is not set by default, but it should be.
User can add httpOnly only to his own cookies using Response.cookie. But user cannot add httpOnly to the session cookie (which is created by Jetty deep inside the framework).

perwendel commented 6 years ago

@asolntsev get it! Thanks!