Kitura-Session icon indicating copy to clipboard operation
Kitura-Session copied to clipboard
verified publisher icon Kitura

Session cookies should be HttpOnly

Open djones6 opened this issue 7 years ago • 0 comments

See https://www.owasp.org/index.php/HttpOnly

I believe we should be setting the HttpOnly attribute on Session cookies by default. Currently we only set the domain and path attributes, and rely on the user to specify additional session cookie options via an [CookieParameter] (enum) array.

There does not appear to be provision in our current API to set just this attribute, either: although the CookieParameter enum has a .secure case, it seems to equate to both Secure and HttpOnly, which means the client will only send the cookie over an SSL connection.

FYI @Andrew-Lees11 @ianpartridge

djones6 avatar May 15 '18 12:05 djones6