play framework

Session's cookie expiration and HttpOnly

Bug #324779 reported by gimenete on 2009-02-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	play framework	Fix Committed	Undecided	Nicolas Leroux	play framework 1.1

Bug Description

There is no way to change the expiration date of the session's cookie. It will be also useful to be able to set the cookie as HttpOnly to minimize any possible xss attack.

The default expiration time could be set as a parameter in the configuration file. However I would like to implement the typical funciontality of "remind me in this computer". That is a checkbox that in case of being selected the expiration date is longer that in case of not being selected. It is, the expiration date could be changed programatically.

Revision history for this message

Guillaume Bort (guillaume-bort) wrote on 2009-02-03:

The expiration date of the session cookie is now configurable throught the application.sessionMaxAge configuration property :

application.sessionMaxAge=20mn

For the HttpOnly cookie we have to wait that AsyncWeb support it ...

Revision history for this message

gimenete (gimenete) wrote on 2009-02-03: Re: [Bug 324779] Re: Session's cookie expiration and HttpOnly

I haven't seen the source code but, if the session is mantained
through a Cookie and there is a capability to set the http headers, it
could be possible to set the Set-cookie header manually, isn't it?

On Tue, Feb 3, 2009 at 11:14 AM, Guillaume Bort
<email address hidden> wrote:
> The expiration date of the session cookie is now configurable throught
> the application.sessionMaxAge configuration property :
>
> application.sessionMaxAge=20mn
>
> For the HttpOnly cookie we have to wait that AsyncWeb support it ...
>
> --
> Session's cookie expiration and HttpOnly
> https://bugs.launchpad.net/bugs/324779
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in play framework: New
>
> Bug description:
> There is no way to change the expiration date of the session's cookie. It will be also useful to be able to set the cookie as HttpOnly to minimize any possible xss attack.
>
> The default expiration time could be set as a parameter in the configuration file. However I would like to implement the typical funciontality of "remind me in this computer". That is a checkbox that in case of being selected the expiration date is longer that in case of not being selected. It is, the expiration date could be changed programatically.
>

--
Alberto Gimeno Brieba
email y gtalk: <email address hidden>
blog: http://gimenete.net
web favorita: http://www.debugmodeon.com
teléfono móvil: +34 625 24 64 81

Guillaume Bort (guillaume-bort) on 2009-08-19

Changed in play:
status:	New → Fix Committed

Revision history for this message

gimenete (gimenete) wrote on 2009-08-25:

AsyncWeb has now support for HttpOnly cookies:
https://issues.apache.org/jira/browse/ASYNCWEB-35

Guillaume Bort (guillaume-bort) on 2009-10-24

Changed in play:
status:	Fix Committed → Confirmed

Revision history for this message

paul.lemon (paul-lemon) wrote on 2010-09-16:

Hi,

I have experienced an issue setting httpOnly on cookies in playframework 1.0 and cannot find a method to achieve this.
I made this post on the google group
http://groups.google.co.uk/group/play-framework/browse_thread/thread/4358182093f2c7c3/5bedf87fe2a27e34?hl=en&lnk=raot#5bedf87fe2a27e34

Guillame asked me to repoen this issue in a response to that post but I am not able to do this so will start a new issue and report my problem in that.

Paul

Nicolas Leroux (nicolas-lunatech) on 2010-09-16

Changed in play:
assignee:	nobody → Nicolas Leroux (nicolas-lunatech)
milestone:	none → 1.1

Guillaume Bort (guillaume-bort) on 2010-09-27

Changed in play:
status:	Confirmed → Fix Committed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.