[MAGNOLIA-8271] Set session cookies as secure & http-only by default Created: 22/Dec/21  Updated: 23/Dec/21

Status: Accepted
Project: Magnolia
Component/s: core
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Neutral
Reporter: Mikaël Geljić Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
Template:
Acceptance criteria:
[ ]* Verify impact, then remediation via sys-prop on local development instances
[ ]* Verify in context of Magnolia behind a reverse-proxy (talking to it over http)
[ ]* Verify on one of our current cloud subs (magnolia-pd no longer active) or on PaaS, together with SSO
[ ]* Verify Vaadin Admincentral session tracking is not impacted (does not rely on accessing JSESSIONID programmatically on the client)
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Release notes required:
Yes
Documentation update required:
Yes

 Description   

Pen tests [regularly] come back with "JSESSIONID Cookie is not secure" issue. It's is very easy to fix by enforcing secure=true in web.xml yet it is rather annoying to have to explain it again and again. And it also means pretty much all customers make a mistake of not setting the flag. OTOH setting it to true impairs local development as browser will refuse to serve the cookie over http and require https which is mostly not available on localhost.

—via had, see thread in #security

Therefore we consider setting cookies as secure & http-only (not for client-scripts) by default, programmatically.

  • Obtain SessionCookieConfig from ServletContext in MagnoliaServletContextListener, in a manner similar to the JndiSessionCookieConfigListener on the popular SO thread Forcing Tomcat to use secure JSESSIONID cookie over http, except without JNDI .
  • Configuring other flags of the SessionCookieConfig is out of scope at this stage (can be exposed via MP config when the time comes).
  • Disable this behavior when magnolia.develop=true, to mitigate impact on local-development instances

Generated at Mon Feb 12 04:31:11 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.