[Building Sakai] Sakai 2.x: setting cookies to 'HttpOnly'
Thomas Amsler
tpamsler at ucdavis.edu
Tue Apr 12 16:03:19 PDT 2011
We will rework that to not to depend on the JSESSIONID.
-- Thomas
On Tue, Apr 12, 2011 at 12:03 PM, Adams, David <da1 at vt.edu> wrote:
> Looks like there's at least one issue probably caused by this:
> https://jira.sakaiproject.org/browse/GRBK-908
>
> Stephen Marquard wrote:
>> HttpOnly cookies are set in Sakai kernels 1.0.x, 1.1.11 and 1.2.0 (and
>> later) which means it's in 2.8.0 and the 2-7-x branch. For example,
>> see:
>>
>> http://nightly2.sakaiproject.org:8087/portal
>>
>> No unwanted side-effect have surfaced that I'm aware of.
>>
>> Regards
>> Stephen
>>
>>
>> --
>> Stephen Marquard, Learning Technologies Co-ordinator
>> Centre for Educational Technology, University of Cape Town
>> http://www.cet.uct.ac.za
>> Email / IM (Jabber/XMPP): stephen.marquard at uct.ac.za
>> Phone: +27-21-650-5037 Cell: +27-83-500-5290
>>
>> >>> David Adams <da1 at vt.edu> 4/12/2011 7:24 PM >>>
>> Has anyone out there in the community taken the step of setting Sakai
>> cookies, in particular JSESSIONID, to "HttpOnly"? My understanding of
>> this setting is that pretty much all browsers support it today and that
>> it instructs the browser to disallow Javascript and plugins from
>> accessing the cookie. It's not foolproof by a mile, but it seems like a
>> no-brainer of an idea.
>>
>> https://www.owasp.org/index.php/HttpOnly
>>
>> The only problem is, I have no idea how Sakai will react to this
>> setting. There might be Javascript that relies on the session cookie
>> somehow. I know of one optional setting in a recent update of a
>> particular tool that does rely on JSESSIONID cookie *not* being set
>> HttpOnly.
>>
>> That particular capability can be disabled, but I'm not sure what else
>> might be out there. Is anyone running HttpOnly cookies for Sakai 2 in
>> production? Were there any issues? Anyone have any thoughts on the
>> topic?
>>
>> Thanks!
>> --
>> David Adams
>> Director, Learning Systems Integration and Support
>> Virginia Tech Learning Technologies
>> _______________________________________________
>> sakai-dev mailing list
>> sakai-dev at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>
>> TO UNSUBSCRIBE: send email to
>> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
>> "unsubscribe"
>>
>>
>>
>>
>>
>> ###
>> UNIVERSITY OF CAPE TOWN
>>
>> This e-mail is subject to the UCT ICT policies and e-mail disclaimer
>> published on our website at
>> http://www.uct.ac.za/about/policies/emaildisclaimer/ or obtainable from
>> +27 21 650 9111. This e-mail is intended only for the person(s) to whom
>> it is addressed. If the e-mail has reached you in error, please notify
>> the author. If you are not the intended recipient of the e-mail you may
>> not use, disclose, copy, redirect or print the content. If this e-mail
>> is not related to the business of UCT it is sent by the sender in the
>> sender's individual capacity.
>>
>> ###
>>
> --
> David Adams
> Director, Learning Systems Integration and Support
> Virginia Tech Learning Technologies
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>
More information about the sakai-dev
mailing list