[Building Sakai] Sakai 2.x: setting cookies to 'HttpOnly'

Stephen Marquard stephen.marquard at uct.ac.za
Tue Apr 12 11:09:05 PDT 2011 

HttpOnly cookies are set in Sakai kernels 1.0.x, 1.1.11 and 1.2.0 (and
later) which means it's in 2.8.0 and the 2-7-x branch. For example,
see:

http://nightly2.sakaiproject.org:8087/portal

No unwanted side-effect have surfaced that I'm aware of.

Regards
Stephen 
 

-- 
Stephen Marquard, Learning Technologies Co-ordinator
Centre for Educational Technology, University of Cape Town
http://www.cet.uct.ac.za
Email / IM (Jabber/XMPP): stephen.marquard at uct.ac.za
Phone: +27-21-650-5037 Cell: +27-83-500-5290 


>>> David Adams <da1 at vt.edu> 4/12/2011 7:24 PM >>> 
Has anyone out there in the community taken the step of setting Sakai
cookies, in particular JSESSIONID, to "HttpOnly"? My understanding of
this setting is that pretty much all browsers support it today and that
it instructs the browser to disallow Javascript and plugins from
accessing the cookie. It's not foolproof by a mile, but it seems like a
no-brainer of an idea.

  https://www.owasp.org/index.php/HttpOnly

The only problem is, I have no idea how Sakai will react to this
setting. There might be Javascript that relies on the session cookie
somehow. I know of one optional setting in a recent update of a
particular tool that does rely on JSESSIONID cookie *not* being set
HttpOnly.

That particular capability can be disabled, but I'm not sure what else
might be out there. Is anyone running HttpOnly cookies for Sakai 2 in
production? Were there any issues? Anyone have any thoughts on the
topic?

Thanks!
-- 
David Adams
Director, Learning Systems Integration and Support
Virginia Tech Learning Technologies
_______________________________________________
sakai-dev mailing list
sakai-dev at collab.sakaiproject.org
http://collab.sakaiproject.org/mailman/listinfo/sakai-dev

TO UNSUBSCRIBE: send email to
sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
"unsubscribe"



 

###
UNIVERSITY OF CAPE TOWN 

This e-mail is subject to the UCT ICT policies and e-mail disclaimer
published on our website at
http://www.uct.ac.za/about/policies/emaildisclaimer/ or obtainable from
+27 21 650 9111. This e-mail is intended only for the person(s) to whom
it is addressed. If the e-mail has reached you in error, please notify
the author. If you are not the intended recipient of the e-mail you may
not use, disclose, copy, redirect or print the content. If this e-mail
is not related to the business of UCT it is sent by the sender in the
sender's individual capacity.

###

More information about the sakai-dev mailing list