82ef171a50
* initial cut on XSS, need to add some tests still
* initial unit tests for assignment endpoints
* updating header comment license thingy
* comment, clean up
* Stubs for security unit test
* Additional Unit Testing
* isEncoded and isNotEncoded Unit Tests added
* http-proxies updates
* update for XXE solutions
* Work-around to handle special chars in action ... currently to be able to match {userId} in hint creation/assignment for IDOR
* IDOR hints updated
* mitigation content update
* mitigation content update ... 2
* Lesson Overview updates
* including restart lesson fix for lesson overview
32 lines
826 B
Plaintext
32 lines
826 B
Plaintext
== HTTPOnly Implementation
|
|
|
|
* Java has limited support for HTTPOnly
|
|
+
|
|
----
|
|
response.setHeader("Set-Cookie", UNIQUE2U + "=" + value + "; HTTPOnly");
|
|
----
|
|
* Draft Servlet 3.0 specification (JSR 315)
|
|
** Support in Cookie and SessionCookieConfig
|
|
|
|
* ASP.NET 1.1 has no built-in support for HTTPOnly
|
|
+
|
|
----
|
|
HttpCookie cookie = new HttpCookie("MyCookie");
|
|
cookie.Value = cookieval;
|
|
cookie.Path = FormsAuthentication.FormsCookiePath + "; HTTPOnly";
|
|
context.Response.Cookies.Add(cookie);
|
|
----
|
|
* ASP.NET 1.1 EndRequest event listener
|
|
+
|
|
----
|
|
private void OnEndRequest(object sender, EventArgs e)
|
|
{
|
|
HttpContext context = HttpContext.Current;
|
|
foreach (string sCookie in context.Response.Cookies)
|
|
{
|
|
context.Response.Cookies[sCookie].Path += "; HTTPOnly";
|
|
}
|
|
}
|
|
---
|
|
* ASP.NET 2.0 has HTTPOnly property in Cookie class
|