[mod_python] Authentication and security in general

Deron Meranda deron.meranda at gmail.com
Wed Apr 26 10:34:16 EDT 2006 

On 4/26/06, Jesus Cea <jcea at argo.es> wrote:
> > You may want to disable the TRACE method in Apache to
> > prevent cookie stealing.
>
> Uhm?. That was new to me. How TRACE helps to steal cookies?.

See http://www.apacheweek.com/issues/03-01-24#news

The basic gist is that the TRACE method (which is built directly
into the Apache internals, you can't handle it with your own
handler for instance) will echo out all of the cookies back to
the caller.

This actually is a "vulnerability" if you will in the HTTP protocol,
so it's not just an Apache thing.  It involves the ability of the
new "AJAX" style javascript to get a copy of any of the cookies
from a site, and can then send those cookies to a different site.
Thus silently stealing your cookies.

The safest thing is to simply disable TRACE.  The notes for
  http://issues.apache.org/jira/browse/MODPYTHON-108
contain related information, especially the HttpOnly cookie
property.  Follow the links mentioned in that note for even
more information on the subject.
--
Deron Meranda

More information about the Mod_python mailing list