Friday, June 10, 2011

Set-Cookie: HTTPOnly

Playdoh best practices document says:"to be secure by default, we use commonware’s cookies app. It makes secure and httponly cookies the default."

I think Playdoh sets it in "/vendor/src/commonware/commonware/response/cookies/monkeypatch.py" which starts off saying:

Monkey-patch secure and httponly cookies into Django by default.
Enable this by adding ``commonware.response.cookies`` to your INSTALLED_APPS."


So I went to my settings_local.py and found that commonware.response.cookies is already set.

Needs to test that "Set-Cookie: httponly;" can be found in the HTTP Response Header.

Used Burp Proxy to see the HTTP Response Header stuff.

Test 2, saw "set-cookies
Added this to the view of a page:
def set_cookie(request):
    response = HttpResponse('')
    response.set_cookie('foo', 'bar')
    return response

HTTP Request Header:
GET /en-US/msw/set_cookie HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: username=Bunny%20Rabbit

HTTP Response Header:
HTTP/1.0 200 OK
Date: Fri, 10 Jun 2011 20:23:27 GMT
Server: WSGIServer/0.1 Python/2.7.1
x-frame-options: DENY
Content-Type: text/html; charset=utf-8
Set-Cookie:  foo=bar; httponly; Path=/

Test 1 Without seeing "set-cookies"

I created a page with a cookie stolen from W3Schools.  Here is the html.  But I could not find "set-cookies" in the HTTP Response Header.

First time there (enter name):
HTTP Request Header:
GET /en-US/msw/cookie HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

HTTP Response Header:
HTTP/1.0 200 OK
Date: Fri, 10 Jun 2011 20:17:50 GMT
Server: WSGIServer/0.1 Python/2.7.1
x-frame-options: DENY
Content-Type: text/html; charset=utf-8

Second time there (with name in cookie):
HTTP Request Header:
GET /en-US/msw/cookie HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: username=Bunny%20Rabbit
Cache-Control: max-age=0

HTTP Response Header:
HTTP/1.0 200 OK
Date: Fri, 10 Jun 2011 20:20:51 GMT
Server: WSGIServer/0.1 Python/2.7.1
x-frame-options: DENY
Content-Type: text/html; charset=utf-8
Posted by HaoQi Li at 6/10/2011 04:26:00 PM
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)