Comments | suggestions: Add HttpOnly flag to LiveJournal cookies

gerg in suggestions

Add HttpOnly flag to LiveJournal cookies

Aug 28, 2008 17:27

Title
Add HttpOnly flag to LiveJournal cookies

Short, concise description of the idea
Add the HttpOnly flag to LiveJournal cookies to help prevent against XSS.

Full description of the ideaThe only thing necessary is to set the HttpOnly flag on cookies sent by LiveJournal so that they cannot be accessed through client-side scripting. This makes ( Read more... )

security, § no status, cookies, login

Comments 9

soph September 22 2008, 17:55:16 UTC

As far as I know, LiveJournal already uses HttpOnly on its cookies. That's what I see in my Firefox's cookies.txt, anyway.

gerg September 22 2008, 18:02:36 UTC

Strange, when I connect directly the HttpOnly flag isn't set. Firefox 3 moved to some obtuse sqlite database so I can't check it, but if you telnet to LJ and get the page source it definitely isn't setting HttpOnly, at least for ljuniq.

soph September 22 2008, 19:48:06 UTC

Maybe it does browser sniffing? Try setting your User-Agent header when you connect directly. Mine is "Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14" if you need one to test with.

[edit: Mind you, I can confirm that for ljuniq, it doesn't seem to be using HttpOnly cookies. That one doesn't allow access to anything requiring security, though.]

rebelsheart September 22 2008, 22:02:48 UTC

I personally support anything that makes LJ more secure to use. As this suggestion is way over my head, I'm not sure if it will receive the attention it deserves.

hakeber September 23 2008, 03:28:30 UTC

soph September 23 2008, 10:28:39 UTC

I just double-checked using the Tamper Data extension for Firefox. All the cookies set during login have the HttpOnly flag set - ljmastersession, ljloggedin, BMLschemepref, langpref, and ljsession.

gerg September 23 2008, 14:18:01 UTC

That's good to know. I'm tempted to delete this suggestion but I'd probably also want ljuniq to be http-only, if only because of what it's used for... I could picture situations where someone nefarious creates an XSS exploit to steal ljuniq cookies and do bad things which will be blamed on $innocent_user...

azurelunatic September 23 2008, 14:32:29 UTC

Always best to warn & lock rather than delete a suggestion. FYI. :-P

gerg September 23 2008, 14:40:22 UTC

Of course I would've bothered you in IRC before actually doing so. I know the rules. (And so do you :X)