Thursday, March 27, 2008

HttpOnly, Safari, Servlets and Tomcat

I'm a huge fan of the benefits provided by the HttpOnly cookie flag, especially as it pertains to enhancing the security of session cookies in web applications. As we can see by Andrew van der Stock's recent blog post on HttpOnly Browser Support, almost every browser supports or will soon support the HttpOnly flag except for Safari.



Safari uses the WebKit.org open source project. And there is indeed a bug submitted for HttpOnly support in WebKit. But this bug was posted back in September 06' - whats taking so long? Unfortunately the problem is Apple. Apple is blocking WebKit from supporting HttpOnly. The CFNetwork library is the closed source Apple library that converts HTTPHeaders into objects - and the CFNetwork library does not support the HttpOnly cookie flag. Please do not hesitate to email the Apple Product Security Team to nudge them along in the right direction!

Also, I have heard rumors that the JEE Servlet Expert Group will soon agree to support the HttpOnly flag in the Servlet 3.0 specification! I'm absolutely thrilled about this. I cannot provide proof of this yet, but I am a longtime Sun contractor and have authoritative sources. This is a very encouraging development.

I've run across much resistance on my HttpOnly cookie crusade. The Tomcat team is hesitant to support this cookie flag since HttpOnly is not a standard - but I'm working on the Tomcat HttpOnly bug and am likely to get it rolled live into Tomcat once it becomes part of the standard for Servlets.

Vive la HttpOnly!

Actual Photo of Arshan Dabirsiaghi

5 comments:

Arshan Dabirsiaghi said...

I can't stop these paparazzi from getting embarrassing pictures of me.

Jim Manico said...

I completed the Tomcat patches and submitted them for review. Please see: https://issues.apache.org/bugzilla/show_bug.cgi?id=44382

Jim Manico said...

An unofficial note from one of the Tomcat core developers:

"Someone will need to apply the patch to trunk and then propose it for 6.0.x and possibly 5.5.x. I don't see this being ported to 4.1.x at the moment.

My guess is that once someone commits it to trunk and proposes it, it will get 3 +1's. The trick will be finding someone to commit it.

Given the recent cookie changes, I would be against this going in the next 6.0.x and 5.5.x releases. I'd like to have at least one stable version of the cookie code before we make further changes. "

Jim Manico said...

Ah, great news from one of the Tomcat commiters:

"btw, this will be part of javax.servlet.http.Cookie class in the next servlet release, it's been confirmed.
- Filip "

Arshan Dabirsiaghi said...

That is great - you r win.