Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Add httpOnly to cookieProps in the shibboleth2.xml config

Description

Since modern browsers support the httpOnly cookie attribute, it should be added to the default shibboleth2.xml config. Currently, cookieProps is not included in the default config. In a comment, only the path and secure attribtes are mentioned, httpOnly is missing completely.

See: http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly

Environment

None

Activity

Show:

Scott Cantor September 20, 2011 at 9:17 PM

http://svn.shibboleth.net/view/cpp-sp?view=revision&revision=3517

Getting this in early so I can test through the life cycle with HttpOnly set.

Thomas Lenggenhager June 2, 2011 at 3:20 PM

I fully understand. I'll try to get this tested in our environment and report back.
For 2.4.3 you could just add the httpOnly to the comment within the config file.
With 2.5 you can then promote it to the default config.

Scott Cantor June 1, 2011 at 2:56 PM

I think my suggestion would be to find somebody with an AJAX scenario who can verify using it works ok, and then add it to the default properties used in 2.5. That way it gets set out of the box instead of just for people who overide the setting.

Even if it's a good thing to use, I don't like making changes of that degree in a patch release.

Thomas Lenggenhager June 1, 2011 at 2:51 PM

If JavaScript launches an HTTP request, the browser should automatically add the cookie to that request, without JavaScript itself having access to it.
So I think it should not negatively influence JavaScript requests.

Scott Cantor June 1, 2011 at 2:01 PM

I may also not understand it correctly. I know it blocks client side access to the cookie, but I'm not clear whether it blocks use of the cookie when making Javascript calls to the server.

Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Original estimate

Components

Fix versions

Created June 1, 2011 at 7:16 AM
Updated August 7, 2012 at 1:07 AM
Resolved September 20, 2011 at 9:17 PM