the auth_openid_cookie should be ssl protected

[cviecco]

the authentication cookie set for openid is not set for ssl_only nor there is a mechanism to set it up. Since this cookie is expected to grant privileges to the end user its default behavior should be to be ssl protected by default.

In lieu with being an authorization cookie, it should also be HttpOnly and not available to javascript (to prevent a class of XSS attacks).

Here is the diff of the one liner to do this:

diff -crB mod_auth_openid-0.6/http_helpers.cpp mod_auth_openid-0.6-new/http_helpers.cpp
*** mod_auth_openid-0.6/http_helpers.cpp 2010-11-27 18:41:45.000000000 +0000
--- mod_auth_openid-0.6-new/http_helpers.cpp 2011-12-19 21:25:39.000000000 +0000

---

*** 263,268 ****
--- 263,269 ----
strftime(expires, sizeof(expires), "%a, %d-%b-%Y %H:%M:%S GMT", tmp);
cookie_value = name + "=" + session_id + "; expires=" + string(expires) + "; path=" + path;
}

• cookie_value.append("; secure; HttpOnly");
  

  };

  // Get the post query string from a HTTP POST

[bmuller]

This only makes sense if the server is running HTTPS, which not all servers do, and I'd like to make the module available and useful whether or not someone is using SSL (even though, obviously, they should).

I think this should just be another config option where you can force a secure cookie.