|From:||Joe Walker (jo...@getahead.org)|
|Date:||Dec 11, 2008 2:12:55 pm|
I'm sending this to DWR-users and DWR-security, we should probably direct follow-up messages to use...@dwr.dev.java.net only.
I can see HttpOnly causing us some *serious* problems.
The problem: There is a chance that Servlet 3.0 is going to encourage app-servers to HttpOnly the JSESSIONID cookie (and even if it doesn't, there is a decent chance that they will anyway)
HttpOnly on JSESSIONID breaks our CSRF protection. So I think it's likely that we'll be inundated with calls questioning why DWR has broken. Our response 'turn off HttpOnly' will be met with horror by many security departments that think we're breaking security.
My view is that at best, HttpOnly only slows an attacker down, but doesn't really fix any holes. Also it confuses people into thinking they are safer from something when they're not really. In addition it breaks double-submit. Hence I'm not keen on it. It would be good to know if anyone has a strong opinion that it's a Good Thing.
It would be good if we could come up with some alternative solution, so we didn't need an HttpOnly free JSESSIONID cookie. Even if I can convince the servlet spec not to recommend it's use, some app-server vendor will implement it, I'm sure.
Can anyone think of any better solutions?