[Building Sakai] Sakai 2.x: setting cookies to 'HttpOnly'

Adams, David da1 at vt.edu
Tue Apr 12 12:03:03 PDT 2011 

Looks like there's at least one issue probably caused by this:
https://jira.sakaiproject.org/browse/GRBK-908

Stephen Marquard wrote:
> HttpOnly cookies are set in Sakai kernels 1.0.x, 1.1.11 and 1.2.0 (and
> later) which means it's in 2.8.0 and the 2-7-x branch. For example,
> see:
>
> http://nightly2.sakaiproject.org:8087/portal
>
> No unwanted side-effect have surfaced that I'm aware of.
>
> Regards
> Stephen
>
>
> --
> Stephen Marquard, Learning Technologies Co-ordinator
> Centre for Educational Technology, University of Cape Town
> http://www.cet.uct.ac.za
> Email / IM (Jabber/XMPP): stephen.marquard at uct.ac.za
> Phone: +27-21-650-5037 Cell: +27-83-500-5290
>
> >>> David Adams <da1 at vt.edu> 4/12/2011 7:24 PM >>>
> Has anyone out there in the community taken the step of setting Sakai
> cookies, in particular JSESSIONID, to "HttpOnly"? My understanding of
> this setting is that pretty much all browsers support it today and that
> it instructs the browser to disallow Javascript and plugins from
> accessing the cookie. It's not foolproof by a mile, but it seems like a
> no-brainer of an idea.
>
>   https://www.owasp.org/index.php/HttpOnly
>
> The only problem is, I have no idea how Sakai will react to this
> setting. There might be Javascript that relies on the session cookie
> somehow. I know of one optional setting in a recent update of a
> particular tool that does rely on JSESSIONID cookie *not* being set
> HttpOnly.
>
> That particular capability can be disabled, but I'm not sure what else
> might be out there. Is anyone running HttpOnly cookies for Sakai 2 in
> production? Were there any issues? Anyone have any thoughts on the
> topic?
>
> Thanks!
> --
> David Adams
> Director, Learning Systems Integration and Support
> Virginia Tech Learning Technologies
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to
> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
>
>
>
>
> ###
> UNIVERSITY OF CAPE TOWN
>
> This e-mail is subject to the UCT ICT policies and e-mail disclaimer
> published on our website at
> http://www.uct.ac.za/about/policies/emaildisclaimer/ or obtainable from
> +27 21 650 9111. This e-mail is intended only for the person(s) to whom
> it is addressed. If the e-mail has reached you in error, please notify
> the author. If you are not the intended recipient of the e-mail you may
> not use, disclose, copy, redirect or print the content. If this e-mail
> is not related to the business of UCT it is sent by the sender in the
> sender's individual capacity.
>
> ###
>
-- 
David Adams
Director, Learning Systems Integration and Support
Virginia Tech Learning Technologies

More information about the sakai-dev mailing list