Secure and httponly options on cookie.

Created by: dosire

If administrators enable config.force_ssl this code automatically tells clients to only send cookies over SSL, improving security by complying with OWASP recommendations: https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-Use.22Secure.22_Cookie_Flag

If config.force_ssl is not set there will be no effect.

Created by: dzaporozhets

@dosire I'd like to have a better explanation what problem does it solve. Cause now i dont understand why i should apply it

By Administrator on 2012-10-09T06:22:08 (imported from GitLab project)

By Administrator on 2012-10-09T06:22:08 (imported from GitLab)

Created by: dosire

@randx Thank you for asking. The problem is that when you force SSL to true you might forget to set your cookies to HTTPS only. If you forget to do this then your cookies are vulnerable when your users are on a unsafe connection, for example public wifi. This attack happens in the wild with Firesheep (http://codebutler.com/firesheep/) and you can read more about this attack at http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_theft_and_session_hijacking

Of course some people will remember and configure the cookie correctly to prevent this attack. However I feel it is important to be secure by default. Default in this case means when a user forces SSL, if that is not set this PR will not change anything.

By Administrator on 2012-10-09T07:13:36 (imported from GitLab project)

By Administrator on 2012-10-09T07:13:36 (imported from GitLab)

Created by: dzaporozhets

@dosire so i think i can merge it

By Administrator on 2012-10-21T13:14:34 (imported from GitLab project)

By Administrator on 2012-10-21T13:14:34 (imported from GitLab)