Http Only TGT Cookies - Githubissues

rbCAS / CASino

CASino is a Ruby-based Single Sign-On solution supporting the CAS standard

MIT License

329 stars 189 forks source link

Http Only TGT Cookies #172

Open soupmatt opened 7 years ago

soupmatt commented 7 years ago

After a security audit our company went through, it was pointed out to us that our tgt cookies should be httponly. So, we added that feature.

In the code as-is right now, we are leaving the cookies as not httponly so as to not break backwards compatibility. However, my opinion is that it should probably default the cooking to being httponly, as this is the most secure option.

coveralls commented 7 years ago

Coverage remained the same at 97.201% when pulling 44833d70a02ffa704c3845fb1b84c23d6807eda2 on soupmatt:http_only_tgt_cookies into 9ebf812f5b8cd84e2c52ec87f7974944900aed23 on rbCAS:master.