Description
Session cookies does not support HttpOnly attribute, which makes them available for XSS attacks through javascript.
There are issues with python2.5 (fixed in python2.6) which does not include httponly option for Cookie class.
Steps to reproduce
Install firebug & firecookie extensions to firefox
- Check Cookies tab in firebug window (F12) after logging into moinmoin
Confirm that there is no flag for HttpOnly
Example
Component selection
- general
Details
MoinMoin Version |
|
OS and Version |
|
Python Version |
|
Server Setup |
|
Server Details |
|
Language you are using the wiki in (set in the browser/UserPreferences) |
|
Workaround
Solution, which also covers a situation where python does not support httponly option is provided here: httponlyfix.patch
Discussion
This is not a bug, but rather a missing feature.
I added support for httponly cookies as shown in the patch. But: we have to be aware that this just adds a little bit of security, just google for httponly for the details.
Plan
- Priority:
- Assigned to:
Status: support added by http://hg.moinmo.in/moin/1.8/rev/030379520983 - thanks for the patch