[Voiceglue] HttpOnly flag in cookies
Lord Rod
altogether.elsewhere at gmail.com
Wed Apr 7 14:58:46 UTC 2010
I'm not sure if this is a bug or not, but I found that trying to set
cookies when talking to voiceglue resulted in this error appearing in
the dynlogs:
|1088059712|1|SEVERE|swi:SBinet|257|SBinet: Expecting '=' after cookie
attribute's name|attributeSpec=HttpOnly|attribute=HttpOnly
It turns out that the web application framework I was using (Rails) by
default takes advantage of newer web browsers' anti XSS scripting
ability by passing the HttpOnly flag in the response header, like
this:
Date: Wed, 07 Apr 2010 14:51:07 GMT
Etag: "02b922bc1d49b90cdbe2af827c97a877"
X-Runtime: 10
Cache-Control: private, max-age=0, must-revalidate
Content-Type: application/xml; charset=utf-8
Content-Length: 475
Set-Cookie: _ivrportal_session=75a99a824d4914faa589ae5902045ac8;
path=/; HttpOnly
200 OK
More info on why here:
http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html
It appears that voiceglue can't parse this. For me the solution was
to switch off this function in Rails like this
config.action_controller.session = {
:session_http_only => false,
}
I guess in a typical IVR scenario you're not too worried by XSS so
this isn't much of a risk. However ideally it would be good if
voiceglue could at least recognise and discard the tag rather than
throwing an error and refusing the cookie.
More information about the Voiceglue
mailing list