the .launchpad.net session cookie, lp should be a httponly cookie
Bug #740828 reported by
David
This bug report is a duplicate of:
Bug #96878: Launchpad session cookie is accessible from Javascript.
Edit
Remove
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
New
|
Undecided
|
Unassigned | ||
Bug Description
The session cookie used on launchpad.net called lp for the domain .launchpad.net is a secure cookie but it is not a httponly cookie. If a cookie is httponly then "If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result" - source http://
This should reduce the potential damage that a xss on a https enabled launchpad.net service would be able to inflect on a user's account.
To post a comment you must log in.
