[web-devel] HttpOnly

Chris Smith cdsmith at gmail.com
Thu Jun 30 16:25:50 CEST 2011

The current situation, technically speaking, is that Snap has no official
sessions package; but that will be changing in 0.6.  The sessions package
that will be part of 0.6 does, I believe, use your clientsession package,
unless that's changed since I last looked.

(I happen to be maintaining my own alternative package for typed sessions,
which has two backends -- one using server-side state, and the other using
your clientsession package.  But that's not an official part of Snap.)

Your cookie package is not likely to be useful for Snap, since parsing and
rendering of cookie-related headers is already included in snap-core (and, I
think, belongs there; it's a rather central part of HTTP; if we parse any
headers at all, we ought to include cookies).

As for http-only, I definitely think it's a good idea, in pretty much all
cases where cookies are used to pass through server-side state.  The kinds
of cookies generated by clientsession are not really vulnerable to
cookie-stealing attacks anywa due to the encryption that goes on, so it's
really just an extra layer of security.  But the same encryption guarantees
that there's no possible use for trying to access and read those particular
cookies in JavaScript, so adding the http-only flag doesn't actually prevent
anything useful, and there's no reason *not* to do it.
On Jun 30, 2011 7:59 AM, "Michael Snoyman" <michael at snoyman.com> wrote:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/web-devel/attachments/20110630/669ce286/attachment.htm>

More information about the web-devel mailing list