We have a Vaadin Flow 14.x enterprise app and a recent security review highlighted the lack of HttpOnly flag being set with the JSESSIONID cookie. How do we set this flag with Vaadin Flow 14? I've searched quite a bit and have not found any references to this.
Our app uses embedded jetty, but that probably doesn't matter in this case as its Vaadin that's setting JSESSIONID from what we can tell.
SOLUTION
The solution as described below is to configure embedded jetty to set HttpOnly. In my case I did this via:
WebAppContext context = new WebAppContext();
context.getSessionHandler().setHttpOnly(true);
The key is to configure this through Jetty. Vaadin is just using javax.servlet.http.HttpSession without directly touching any low-level session management details such as cookies.
Related
[Updated - see comment at end]
Google will be changing the behaviour of its Chrome browser so that cookies will no longer work when hosted in another domain's IFRAME unless the cookies are explicityly set to SameSite = None, and Secure.
To this end, we made this change in our ASP.NET MVC code. We have some logic around when to set this (only for partners that we've agreed to work with), so we have this conditional logic:
if (isSameSiteCookieEnforced)
{
cookie.SameSite = SameSiteMode.None;
cookie.Secure = true;
}
We tested this in our DEV, QA, STAGE environments and it works perfectly. In Chrome's developer tools (Application > Cookies), you can inspect the cookies and see that they are all marked as Secure, and have None in the SameSite column.
However, when we rolled this to our PROD environment, we get different results using the same browser: the cookies are marked as Secure, but the SameSite value is empty.
What we checked:
Load Balancer: we isolated this and navigated direct to a single web server, same result
Installed .NET frameworks: in all environments, we've installed 4.7.2 and 4.8
Addressed .NET framework: in all environments, the web.config stipulates 4.7.2
Code: we retrieved the relevant DLL from PROD and inspected with ILSPY. It contains the above code
Currently at a bit of a loss to explain how the cookies could lose the "SameSite" property. Navigating to chrome://flags and filtering on SameSite we're showing the three settings to be "default", so Chrome shouldn't be affecting anything differently from one environment to another.
Update
Our ASP.NET MVC application uses an IHttpModule and as one of the last steps in the EndRequest method we trace out the cookies. You can clearly see that they are set with SameSite=None and Secure=true. But, when they arrive at the browser, the SameSite property has been stripped.
If you are conditioning on whether the new SameSite behavior is enforced, you will want to test the behavior with the chrome://flags entries same-site-by-default-cookies and cookies-without-same-site-must-be-secure set to both "Enabled" and "Disabled". If they are set to "Default", there is no way to tell what the behavior is. It could be on or off, depending on the random seed determined on startup, since the features are currently in a fieldtrial (A/B testing) on Beta. See the second bullet list in "Launch Timeline" here: https://www.chromium.org/updates/same-site
Found the issue - turned out that we were missing a Windows patch.
I'm currently creating an application, in which I use code like this:
session.user = user.username
Hence I get JSESSIONID cookie created. But I want my client side program to read this cookie; But since its been set HttpOnly to true I can't get value from client side.
How one should change the cookie Httponly to set false in grails? So that client side code can read them?
Thanks.
The httpOnly setting isn't a Grails option but rather an option of the container running your application (Tomcat in your example). Thus these changes are going to be related to Tomcat more than Grails.
Normally Grails creates the web.xml for Tomcat at compile/runtime and while you could use the eventConfigureTomcat within BuildConfig.groovy to configure Tomcat, this would only work for development and testing environments and not production.
Thus, it's best to use install-templates and modify your src/templates/war/web.xml to have the correct value for the httpOnly attribute. e.g. <Context httpOnly="false" ... You can find out more information about configuring Tomcat from their official documentation.
I integrated the spring-security-oauth plugin into my app, and the login over FB or Google seems to be working fine.
The problem I have now, is that the authentication expires along with the tomcat session, which is not what it should be. I want the OAuth-authentication to be persistent on client's machine. Some sort of spring security's remember-me functionality is needed.
Is there a possibility to activate it out-of-box?
TIA
I have this setup in my application. What you want to do is enable rememberme configuration:
http://grails-plugins.github.io/grails-spring-security-core/docs/manual/guide/single.html#rememberMeCookie
run the s2-create-persistent-token script
In config file:
rememberMe.alwaysRemember = true // by default it is false
rememberMe.persistent = true // by default it is off
I don't have my application on hand but if you need exact configs, let me know and I'll post it up later for you.
so, after doing some research and talking the plugin creator here http://github.com/enr/grails-spring-security-oauth/issues/9, the solution was found. It will be available in the upcoming release, or you can do it yourself
I have tried many ways to use the httponly flag to prevent XSS attack, but all failed.
Common way is to set use HttpOnly=true in context.xml
For test the result: in the java code set two test parameters in the cookie and in front jsp file include javascript to alert thedocument.cookie, the two test parameters set in java code are get and show in the alert.
Java code:
Cookie cookie = new Cookie("httponlytest","testsss");
response.addCookie(cookie);
Cookie cookie1 = new Cookie("testhttponly","successfu");
response.addCookie(cookie1);
javascript in jsp file:
alert("cookie------------"+document.cookie);
Is there anything i did wrong?
If you know how, it would be very helpful.
For others who do not know HttpOnly:
HttpOnly=true is a relative new attribute to make a cookie in the browser inaccessible to JavaScript.
So it is a browser-only security (XSS) technique to prevent accessing JSESSION_ID (hijacking java sessions) and such.
So you could always set the HttpOnly attribute in the Cookie itself. For the Java session ID it is now default I think, at least it should be.
<Context useHttpOnly="true">
This seems to work only for JSESSIONID. I just found this in SO.
Recently I was dealing with http-only=true cookies. During my research i found that Mozilla and Chrome do not allow java applets to use http-only=true cookies. I was getting issue in accessing the JsessionidSSO cookie. During my research on bugs of JAVA i found this bug
While in IE there is no issue in reading the cookies as IE has provided InternetGetCookieEx() API's to access http-only cookies and added the flag INTERNET_COOKIE_HTTPONLY available only IE8 and above versions. So the problem of accessing the http-only cookies still not solved as java proposed the fix in java 7 update 40 while the current version is java 7 update21.
I have an ASP.NET MVC4 application running on Windows Azure and it uses Azure ACS for Federated Authentication.
When we first started testing the application, it was working in all the browsers except Safari and Opera because of the size of cookie.
I've read several articles online that asked me to use FederatedAuthentication.SessionAuthenticationModule.IsSessionMode = true;
The above statement will store the data in the cookie on the server side. That fixed the problem because only a session identifier is stored on the client(browser).
However, that attribue appears to be removed from the WIF 4.5 api.
Do you know if there is a work around?
Do you save the original token? Do you have something like this in your web.config, or do you set the saveBootstrapTokens config setting to true:
<securityTokenHandlers>
<securityTokenHandlerConfiguration saveBootstrapTokens="true" />
</securityTokenHandlers>
If you do, or if you don't, try setting the saveBootstrapTokens to false! This is will save you a lot of "space".
I had this issue only when I had saveBootstraptokens set to true.
Yes - #astaykov is correct - that's part of it.
As per #Dominick, it's called "IsReferenceMode" in .NET 4.5.