Project

General

Profile

Actions

Bug #11159

closed

JSESSION cookie should be "secure"

Added by François ARMAND over 7 years ago. Updated over 5 years ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
Fix check:
Regression:

Description

It is a good practice to do so.

It should be done with:

<?xml version="1.0"  encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Get name="sessionHandler">
        <Get name="sessionManager">
            <Set name="secureCookies" type="boolean">true</Set>
        </Get>
    </Get>
</Configure>

But it does not seems to work, certainly because our link between jetty and apache is HTTP (not S). Or because there is a problem if we speciy several "Set" (there is one other for #11158)
See: https://stackoverflow.com/questions/3038223/how-to-get-jetty-to-send-jsessionid-cookies-with-the-secure-flag-when-using-a-se


Subtasks 2 (0 open2 closed)

Bug #11163: Enable mod header for apacheRejectedBenoît PECCATTEActions
Bug #11167: Add apache hearder rewrite rules to secure/httponly cookiesReleasedBenoît PECCATTEActions

Related issues 2 (0 open2 closed)

Related to Rudder - Bug #11158: JSESSION cookie should be "httpOnly"RejectedActions
Related to Rudder - Bug #11160: We should not send Jetty version in header responseRejectedActions
Actions #1

Updated by François ARMAND over 7 years ago

  • Copied from Bug #11158: JSESSION cookie should be "httpOnly" added
Actions #2

Updated by François ARMAND over 7 years ago

  • Copied to Bug #11160: We should not send Jetty version in header response added
Actions #3

Updated by François ARMAND over 7 years ago

  • Copied to deleted (Bug #11160: We should not send Jetty version in header response)
Actions #4

Updated by François ARMAND over 7 years ago

Perhaps for both this one, httpOnly, and removing jetty header, the config could be done in apache with mod_header https://serverfault.com/questions/645964/httponly-and-secure-cookies-with-apache-mod-header-for-all-cookies

That would allows to put all that config on the same place, even if we have cookies from other app one day (like technique editor or whatever), and not be dependent of jetty (nor its version).

Actions #5

Updated by François ARMAND over 7 years ago

  • Status changed from New to In progress
  • Assignee set to François ARMAND
Actions #6

Updated by François ARMAND over 7 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Benoît PECCATTE
  • Pull Request set to https://github.com/Normation/rudder/pull/1704
Actions #7

Updated by François ARMAND over 7 years ago

  • Copied from deleted (Bug #11158: JSESSION cookie should be "httpOnly")
Actions #8

Updated by François ARMAND over 7 years ago

  • Related to Bug #11158: JSESSION cookie should be "httpOnly" added
Actions #9

Updated by François ARMAND over 7 years ago

  • Status changed from Pending technical review to Pending release
Actions #10

Updated by François ARMAND over 7 years ago

  • Related to Bug #11160: We should not send Jetty version in header response added
Actions #11

Updated by Vincent MEMBRÉ over 7 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 3.1.22, 4.1.6 and 4.2.0~beta3 which were released today.

Actions #12

Updated by François ARMAND over 7 years ago

  • Private changed from Yes to No

Removing the private status now that the release containing the fixes are available.

Actions

Also available in: Atom PDF