Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-8271

Set session cookies as secure & http-only by default

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Unresolved
    • Neutral
    • None
    • None
    • core
    • Yes
    • Yes

    Description

      Pen tests [regularly] come back with "JSESSIONID Cookie is not secure" issue. It's is very easy to fix by enforcing secure=true in web.xml yet it is rather annoying to have to explain it again and again. And it also means pretty much all customers make a mistake of not setting the flag. OTOH setting it to true impairs local development as browser will refuse to serve the cookie over http and require https which is mostly not available on localhost.

      —via had, see thread in #security

      Therefore we consider setting cookies as secure & http-only (not for client-scripts) by default, programmatically.

      • Obtain SessionCookieConfig from ServletContext in MagnoliaServletContextListener, in a manner similar to the JndiSessionCookieConfigListener on the popular SO thread Forcing Tomcat to use secure JSESSIONID cookie over http, except without JNDI .
      • Configuring other flags of the SessionCookieConfig is out of scope at this stage (can be exposed via MP config when the time comes).
      • Disable this behavior when magnolia.develop=true, to mitigate impact on local-development instances

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                Unassigned Unassigned
                mgeljic Mikaël Geljić
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                  Created:
                  Updated:

                  Checklists

                    Task DoD