Monday, February 21, 2011

Two cookie attributes you MUST be aware to secure your web app

There are two attributes of cookies that every web developer must be aware of to secure your web application. These two attributes doesn't save your application from all attacks, but at least they reduce the vulnerability to a great extent. These two attributes are:

  • HttpOnly
  • Secure
The first attribute HttpOnly says that the cookie is intended to be passed only as a part of HTTP communication. Hence it must not be available to the application (like JavaScripts running in the browser). So once you load a page, if you type "javascript:alert(document.cookie)" in the URL bar, you will not those cookies that have the HttpOnly flag set.

The second attribute Secure tells that the cookie should be sent as a part of the request if and only if the communication happens over a HTTPS channel. Typically login requests are sent over HTTPS channels. (If you are using a web app that is using HTTP for login page, its time you stop using it!). Typically, as a part of the login response, there will be two sets of cookies set. One that can be sent over both HTTP and HTTPS and another set that can be sent only over HTTPS. It is the cookies that are to be sent over HTTPS that serious parts of your web application should depend on. For e.g. check out of your shopping cart.

You can learn more about HttpOnly flag here and here.Also you can learn more about Secure flag in the wiki page.

Saturday, February 19, 2011

Cygwin and irb

If you had tried to start irb in Windows that has cygwin installed, you might have got the following exception trace:

C:/Ruby192/lib/ruby/site_ruby/1.9.1/rbreadline.rb:2095:in `expand_path': non-absolute home (ArgumentError)
        from C:/Ruby192/lib/ruby/site_ruby/1.9.1/rbreadline.rb:2095:in `_rl_read_init_file'
        from C:/Ruby192/lib/ruby/site_ruby/1.9.1/rbreadline.rb:2078:in `rl_read_init_file'
        from C:/Ruby192/lib/ruby/site_ruby/1.9.1/rbreadline.rb:2499:in `readline_initialize_everything'
        from C:/Ruby192/lib/ruby/site_ruby/1.9.1/rbreadline.rb:3730:in `rl_initialize'
        from C:/Ruby192/lib/ruby/site_ruby/1.9.1/rbreadline.rb:4737:in `readline'
        from C:/Ruby192/lib/ruby/site_ruby/1.9.1/readline.rb:40:in `readline'
        from C:/Ruby192/lib/ruby/1.9.1/irb/input-method.rb:115:in `gets'
        from C:/Ruby192/lib/ruby/1.9.1/irb.rb:139:in `block (2 levels) in eval_input'
        from C:/Ruby192/lib/ruby/1.9.1/irb.rb:273:in `signal_status'
        from C:/Ruby192/lib/ruby/1.9.1/irb.rb:138:in `block in eval_input'
        from C:/Ruby192/lib/ruby/1.9.1/irb/ruby-lex.rb:188:in `call'
        from C:/Ruby192/lib/ruby/1.9.1/irb/ruby-lex.rb:188:in `buf_input'
        from C:/Ruby192/lib/ruby/1.9.1/irb/ruby-lex.rb:103:in `getc'
        from C:/Ruby192/lib/ruby/1.9.1/irb/slex.rb:205:in `match_io'
        from C:/Ruby192/lib/ruby/1.9.1/irb/slex.rb:75:in `match'
        from C:/Ruby192/lib/ruby/1.9.1/irb/ruby-lex.rb:286:in `token'
        from C:/Ruby192/lib/ruby/1.9.1/irb/ruby-lex.rb:262:in `lex'
        from C:/Ruby192/lib/ruby/1.9.1/irb/ruby-lex.rb:233:in `block (2 levels) in each_top_level_statement'
        from C:/Ruby192/lib/ruby/1.9.1/irb/ruby-lex.rb:229:in `loop'
        from C:/Ruby192/lib/ruby/1.9.1/irb/ruby-lex.rb:229:in `block in each_top_level_statement'
        from C:/Ruby192/lib/ruby/1.9.1/irb/ruby-lex.rb:228:in `catch'
        from C:/Ruby192/lib/ruby/1.9.1/irb/ruby-lex.rb:228:in `each_top_level_statement'
        from C:/Ruby192/lib/ruby/1.9.1/irb.rb:155:in `eval_input'
        from C:/Ruby192/lib/ruby/1.9.1/irb.rb:70:in `block in start'
        from C:/Ruby192/lib/ruby/1.9.1/irb.rb:69:in `catch'
        from C:/Ruby192/lib/ruby/1.9.1/irb.rb:69:in `start'
        from C:/Ruby192/bin/irb:12:in `
'
The solution to this problem is very simple. Just unset the HOME environment variable and start irb again.
set HOME=
set HOMEDRIVE=
set HOMEPATH=
set HOMESHARE=
Some of them are not directly related to Cygwin. But resetting will help you in avoiding issues while running gems.