search

rbCAS / CASino

CASino is a Ruby-based Single Sign-On solution supporting the CAS standard
MIT License
329 stars 189 forks source link

Make the generated cookies httponly #153

Open fojas opened 8 years ago

fojas commented 8 years ago

The tgt cookie should be httponly to mitigate some common XSS attacks. https://www.owasp.org/index.php/HttpOnly#Mitigating_the_Most_Common_XSS_attack_using_HttpOnly

pencil commented 8 years ago

We currently rely on the cookie being readable by JS to automatically redirect when using multiple browser windows.