Grails
  1. Grails
  2. GRAILS-7439

Security: Session-Cookie should have the HTTPOnly-Flag set

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.3.7
    • Fix Version/s: 2.1-RC1
    • Component/s: Security
    • Labels:
      None

      Description

      To mitigate common XSS-attacks the HttpOnly-Flag should be set for the session-cookie (see: https://www.owasp.org/index.php/HttpOnly). It think that it would be save to set it per default and to have the possibility to deactivate it in the Config.groovy.

        Activity

        Hide
        Graeme Rocher added a comment -

        I'm not sure its right for Grails to be doing this by default. Containers like Tomcat have a configuration option to enable this globally for an application. Seems having it in Grails core is the wrong place since we don't just service browser requests (REST etc.)

        Show
        Graeme Rocher added a comment - I'm not sure its right for Grails to be doing this by default. Containers like Tomcat have a configuration option to enable this globally for an application. Seems having it in Grails core is the wrong place since we don't just service browser requests (REST etc.)
        Hide
        Frank Wettstein added a comment -

        I've created a web-app/META-INF/context.xml for Tomcat with useHttpOnly='true' and it's working. Perhaps this should be added into chapter 11 of the documentation (Security), as it is a quite important defense against XSS-attacks.

        Show
        Frank Wettstein added a comment - I've created a web-app/META-INF/context.xml for Tomcat with useHttpOnly='true' and it's working. Perhaps this should be added into chapter 11 of the documentation (Security), as it is a quite important defense against XSS-attacks.
        Hide
        cdeszaq added a comment -

        I would strongly vote against this being the default, since it causes lots of trouble with other non-browser user agents. Adding a section into the Security chapter of the docs would be very much preferable. Even adding a commented-out configuration option to the default config would be OK, but not as the default setting.

        Show
        cdeszaq added a comment - I would strongly vote against this being the default, since it causes lots of trouble with other non-browser user agents. Adding a section into the Security chapter of the docs would be very much preferable. Even adding a commented-out configuration option to the default config would be OK, but not as the default setting.
        Hide
        Bobby Warner added a comment -

        I added a paragraph about this to the security docs – https://github.com/pledbrook/grails-doc/commit/3da9e120ef1cc8d66d8bda14972812275e4be6d1

        It is now the default in Tomcat 7 and part of the Servlet 3.0 specification. So, closing this issue as nothing else is needed besides the docs I wrote.

        Thanks,
        Bobby

        Show
        Bobby Warner added a comment - I added a paragraph about this to the security docs – https://github.com/pledbrook/grails-doc/commit/3da9e120ef1cc8d66d8bda14972812275e4be6d1 It is now the default in Tomcat 7 and part of the Servlet 3.0 specification. So, closing this issue as nothing else is needed besides the docs I wrote. Thanks, Bobby

          People

          • Assignee:
            Bobby Warner
            Reporter:
            Frank Wettstein
          • Votes:
            1 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Last Reviewed:

              Development