Grails

Security: Session-Cookie should have the HTTPOnly-Flag set

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: 1.3.7
  • Fix Version/s: 2.1-RC1
  • Component/s: Security
  • Labels:
    None

Description

To mitigate common XSS-attacks the HttpOnly-Flag should be set for the session-cookie (see: https://www.owasp.org/index.php/HttpOnly). It think that it would be save to set it per default and to have the possibility to deactivate it in the Config.groovy.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Graeme Rocher added a comment -

I'm not sure its right for Grails to be doing this by default. Containers like Tomcat have a configuration option to enable this globally for an application. Seems having it in Grails core is the wrong place since we don't just service browser requests (REST etc.)

Show
Graeme Rocher added a comment - I'm not sure its right for Grails to be doing this by default. Containers like Tomcat have a configuration option to enable this globally for an application. Seems having it in Grails core is the wrong place since we don't just service browser requests (REST etc.)
Hide
Permalink
Frank Wettstein added a comment -

I've created a web-app/META-INF/context.xml for Tomcat with useHttpOnly='true' and it's working. Perhaps this should be added into chapter 11 of the documentation (Security), as it is a quite important defense against XSS-attacks.

Show
Frank Wettstein added a comment - I've created a web-app/META-INF/context.xml for Tomcat with useHttpOnly='true' and it's working. Perhaps this should be added into chapter 11 of the documentation (Security), as it is a quite important defense against XSS-attacks.
Hide
Permalink
Rick Jensen added a comment -

I would strongly vote against this being the default, since it causes lots of trouble with other non-browser user agents. Adding a section into the Security chapter of the docs would be very much preferable. Even adding a commented-out configuration option to the default config would be OK, but not as the default setting.

Show
Rick Jensen added a comment - I would strongly vote against this being the default, since it causes lots of trouble with other non-browser user agents. Adding a section into the Security chapter of the docs would be very much preferable. Even adding a commented-out configuration option to the default config would be OK, but not as the default setting.
Hide
Permalink
Bobby Warner added a comment -

I added a paragraph about this to the security docs – https://github.com/pledbrook/grails-doc/commit/3da9e120ef1cc8d66d8bda14972812275e4be6d1

It is now the default in Tomcat 7 and part of the Servlet 3.0 specification. So, closing this issue as nothing else is needed besides the docs I wrote.

Thanks,
Bobby

Show
Bobby Warner added a comment - I added a paragraph about this to the security docs – https://github.com/pledbrook/grails-doc/commit/3da9e120ef1cc8d66d8bda14972812275e4be6d1 It is now the default in Tomcat 7 and part of the Servlet 3.0 specification. So, closing this issue as nothing else is needed besides the docs I wrote. Thanks, Bobby

People

  • Assignee:
    Bobby Warner
    Reporter:
    Frank Wettstein
Vote (1)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
    Last Reviewed: