Introduction
Securing cookies is very much important now a days. Take
the example of an authentication cookie. When the attacker is able to grab this
cookie, he can impersonate the user. Such cookies need to protect from
unauthorized access through XSS(Cross-Site Scripting) and man-in-the-middle
attack.
HttpOnly Flag
Generally all the cookies can
be read using java script example the document.cookie property will list all
the cookies for a domain. Let’s assume XSS vulnerability is
present in the application. Then the attacker can take advantage of the XSS
vulnerability to steal the authentication/sensitive cookies. To protect the
cookies from java script access we need to add the HttpOnly flag to such
cookies. HttpOnly flag ensure that the cookies only be sent over HTTP
communication.
Secure Flag
When HTTP protocol is used data is sent over plain text
which allows an attacker (man-in-middle-attack) to read and steal
authentication cookies. When a site
available in both protocol HTTP and HTTPS, for example any ecommerce site then sensitive cookies will be sent in both protocol. So the secure
flag should be added to those cookies. Secure flag ensure that the cookies will
sent over HTTPS protocol so that attacker in middle cannot read it value.
cookies situation with out those flag
Both the flag HttpOnly and secure are not enable for all sensitive
cookies. Please see the below screen shot.
How to enable HTTP
only flag in web sphere server
httpOnly support in WAS 7.0.0.37 with PI25144 Although the httpOnly option was only made
available with Servlet specification 3.0 ( WAS 7.0 implements 2.5), since WAS
7.0.0.9 there is an option to make cookies httpOnly using the
com.ibm.ws.webcontainer.httpOnlyCookies custom property (see PK98436: HTTPONLY ATTRIBUTE IS NOT SUPPORTED IN A WEBSPHERE APPLICATION SERVER SESSION COOKIE ).
If our WAS version is 7.0.0.37 the APAR is already installed
so just need to enable the custom properties.
As per IBM recommendation Session management cookies are
good candidates for HttpOnly and we should avoid enabling httpOnly on cookies
that are used in the storefront, such as WC_CartTotal_ and WC_CartOrderId_ in
the starter stores. As per the above recommendation the below set cookies
should be enable for HttpOnly.
JSESSIONID
WC_GENERIC_ACTIVITYDATA
WC_AUTHENTICATION_<userId>
WC_USERACTIVITY_<Userid>
WC_PERSISTENT
WCP_<userId>
WC_identitySignature
Detailed step on
enabling HttpOnly flag
Log in to WAS console and click Servers and under Servers
click Server Types and under Server Types click WebSphere application servers
Select the server (the steps need to be repeated for each
server)
Under Configuration and Container settings click Web
Container Settings and under Web Container Settings click Web container
Under Additional Properties click Custom Properties
In the Custom Properties page, click New
Add the httpOnlyCookies setting:
Name: com.ibm.ws.webcontainer.httpOnlyCookies
Value: JSESSIONID,WC_GENERIC_ACTIVITYDATA,WC_AUTHENTICATION_*,WC_USERACTIVITY_*,WC_PERSISTENT,WCP_*,WC_identitySignature
Enable secure flag in
web sphere server
For the WAS version 7.0.0.37 secure flag is already enabled
for some cookies and it is decided by WCS which cookies need to be secure. For
some cookies like JSESSIONID we need to
enable it.
Detailed steps to
enable secure flag for JSESSIONID cookies
Go to was console and click on serves >>servers types
>> WebSphere application servers
Click on the server
Click on session management
Click on enable cookies
Check the check box of Restrict cookies to HTTPS
sessions
Validating the change
in the storefront
Log in to the site and open fire bug we should able to see
a screen shot like below.
So if i want to enable secure flag for WC_PERSISTENT cookie how to enable ?
ReplyDelete