I am wondering if there is some way to implement the httponly flag with websession.cookie.set? Also wondering why the “sessionid” cookie in Xojo is not using the httponly flag or is there an option to enable it? It might help in hardening Xojo web apps again XSS attacks if available. It doesn’t seem to be used.
Thoughts?
File a feature request and we’ll look into it.
Here it is: <https://xojo.com/issue/38174>
WHAT:
There should be a way to specify the ‘HttpOnly’ flag in any cookie set by websession.cookie - also the framework’s built-in cookie for session management ‘sessionid’ should have this flag set by default, or at least optionally.
WHY:
HttpOnly is an effective preventative measure that would build in increased protection for xoxo web app developers (and users) against Cross Site Scripting attacks on Xojo apps. The HttpOnly flag on a cookie should be trivial to support/implement.
DETAILS:
"99% of browsers and most web application frameworks " support HttpOnly (Xojo does not to my knowledge)
Cross-Site-Scripting is the #1 vulnerability in web applications:
http://www.cenzic.com/downloads/Cenzic_Vulnerability_Report_2014.pdf
Workarounds:
Possibly secure cookies.
John thank you, good suggestion.
Hey~ this feature request has already been implemented - wow, that was fast! Way to go Xojo.
Thank you!
Sweet 