Kai Ramuenke » Add new tag http://www.ramuenke.de Just another agile software development blog Wed, 20 May 2009 13:28:25 +0000 http://wordpress.org/?v=2.8.4 en hourly 1 Http-only session cookie http://www.ramuenke.de/archives/42 http://www.ramuenke.de/archives/42#comments Wed, 20 May 2009 13:28:25 +0000 Kai http://www.ramuenke.de/?p=42 In my last post i explained, how to test session protected resources with selenium rc and ruby. While we were migrating to Rails 2.3 all such tests suddenly stopped working because the JavaScript didn’t return the session cookie anymore. After some research we found out that you can control accessibility to the session cookie through the browser by sending a little flag in the HTTP response header for Set-Cookie.

response.setHeader("Set-Cookie", "cookie_name=cookie_value; HTTPOnly=");

By setting this flag you basically prevent any JavaScript from accessing the session cookie. Rails now sets this flag by default which makes it less vulnerably against cross scripting attacks.
You can find all information you need including a list of supporting browsers here

]]> http://www.ramuenke.de/archives/42/feed 0