[Building Sakai] Sakai 2.x: setting cookies to 'HttpOnly'
David Adams
da1 at vt.edu
Tue Apr 12 10:24:21 PDT 2011
Has anyone out there in the community taken the step of setting Sakai cookies, in particular JSESSIONID, to "HttpOnly"? My understanding of this setting is that pretty much all browsers support it today and that it instructs the browser to disallow Javascript and plugins from accessing the cookie. It's not foolproof by a mile, but it seems like a no-brainer of an idea.
https://www.owasp.org/index.php/HttpOnly
The only problem is, I have no idea how Sakai will react to this setting. There might be Javascript that relies on the session cookie somehow. I know of one optional setting in a recent update of a particular tool that does rely on JSESSIONID cookie *not* being set HttpOnly.
That particular capability can be disabled, but I'm not sure what else might be out there. Is anyone running HttpOnly cookies for Sakai 2 in production? Were there any issues? Anyone have any thoughts on the topic?
Thanks!
--
David Adams
Director, Learning Systems Integration and Support
Virginia Tech Learning Technologies
More information about the sakai-dev
mailing list