We have a site that uses first party and third party cookies. Security has pointed out that several of our cookies are not httponly and not secure. After looking the web.config file I see this:
<httpCookies httpOnlyCookies="true" requireSSL="true"/>
Hitting the site and using Google Dev Tools shows the cookies are still not marked as httpOnly or secure.
Shouldnt this setting force all first party cookies to be rendered as httpOnly and Secure? Or am I missing something? Any reason these cookies would not be httpOnly/secure? I also set this via IIS at the server level, but no change in the cookie's status.
Related
I have jupyterhub(TLJH) running on my AWS. It is served on my site using an iframe. Since the latest chrome update, the "SameSite" cookie attribute is causing the following issue. The below image shows what I see in the Iframe
Given below is the warning I get in my console:
A cookie associated with a cross-site resource at http://www._____.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
When I disable the SameSite attribute in chrome://flags/, the iframe loads perfect.
I understand that I need to edit my cookie settings to add {SameSite=None; Secure} somewhere in jupyterhub, but I don't know where.
It looks to me as if you may be able to use the cookie_options setting to add SameSite=None; Secure to the cookies, but I am not 100% sure.
I've raised https://github.com/jupyterhub/jupyterhub/issues/3117 to ask the team to validate.
I could make it work only by making my server map to a subdomain. For example, say the main website which has the Iframe embed is www.mydomain.com, I had to map my Jupyter server to "subdomain.mydomain.com" to make it work.
It is obvious that the above approach was possible because the page I was trying to embed was owned by me. Hoping for an answer for the other scenario!
You can use jupyterhub proxy give your server a domain name like "http:***.mydomain.com" .But this must be subdomain of your site("http://www._____.com/")
I'm trying to get cookies via document.cookies (session id) in the console after receiving them here:
As you see no HttpOnly is present. But cookies still are not accessible for some reason.
I'm using whatwg-fetch in react app for queries. Chrome browser, Version 80.0.3987.149 (Official Build) (64-bit), but tested with others and no luck as well
okay, the thing was that I cannot use cookies while working with wildcard allow access origin requests.
I have directus API and admin app on localhost and I have frontend React app on localhost:3000. When I try to login via client.login method from React interface directus sets cookie to localhost (its admin app origin). But I need this cookie on localhost:3000 where my actual app located.
Set cookie header is like that:
directus-test-session=4JCvIJhNxCovLAvCwkSulylc8ZYq1iok4EQ3%3A%3A5b84ad5310ba25a7129ed57448136e13; path=/; expires=Sat, 04-Jan-2020 14:06:49 UTC; HttpOnly
Also google console provides warning like below:
A cookie associated with a cross-site resource at http://directus.test was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure.
I need to set cookie to localhost:3000. How can I do this? Thank you in advance.
I'm not sure if Chrome allows you to set cookies to localhost on a specific port at the time of writing*
As for the warning thrown: we can't set the SameSite attribute as that will kill support for cross domain cookies entirely. You can either host your end project on the same (sub)domain as Directus or use the JWT mode for authentication instead. (When using client.login, set mode = 'jwt').
We can consider making the cookies Secure by default, but that would possibly hinder localhost development, as that requires a HTTPS connection for the cookies to be sent.
* Chrome (and the other browsers) have been updating their cookie policy very frequently lately to fight third party tracking.
I have a slight confusion regarding HTTPOnly attribute in cookies. I am aware that its main use is for protection against XSS attacks. Let us assume there is web application which has set httponly enabled for the cookie. I used a interception proxy like Fiddler for this. But in all subsequent transactions the cookie is not accompanied with the httponly flag. is this a feature like set it once and the whole session is covered under httponly flag...or is this a implementation flaw. But again when monitored through a cookie manager addon,the properties show that httponly is enabled. My question is if its enabled why the cookie manager shows it enabled but not an interception proxy,is this the normal expected behaviour or a wrong implementation. Please help me understand.
HttpOnly is sent by the server in the Set-Cookie header to instruct the browser not to make the cookie available to javascript. The browser will still send it over http connections. The Set-Cookie header can contain all sorts of instructions for cookies, like when they expire, what domain they are for, whic path, whether they should only be sent over https(Secure flag) and HttpOnly. These are all instructions from the server to the browser, so there is no point in the browser sending them back to the server on each request.
Searching for possible ways to get cookie with httpOnly enabled, I cannot find any. But then again, how do browser addons like Firebug, Add 'N Edit Cookie, etc. can get the cookies? Can't an attacker do the same?
So my question is, is it really, really impossible to get cookie of httpOnly enabled requests, using javascript?
p/s: Yes I'm aware httpOnly doesn't stop XSS attacks. I'm also aware it's futile against sniffers. Let's just focus on javascript, sort of alert(document.cookie) type / pre httpOnly era.
how do browser addons like Firebug,
Add 'N Edit Cookie, etc. can get the
cookies?
They are browser extensions, and the browser has access to the cookies ; extensions have a higher level of privileges than you JS code.
is it really, really impossible to get
cookie of httpOnly enabled requests,
using javascript?
Provided you are using a browser (ie, a quite recent browser) that support httpOnly and doesn't have a security bug about it, it should be impossible -- that's the goal of httpOnly.
Quoting wikipedia :
When the browser receives such a
cookie, it is supposed to use it as
usual in the following HTTP exchanges,
but not to make it visible to
client-side scripts.
Firebug and other addons can do that because they are not running under security restrictions imposed to the JavaScripts of the web pages.