Could not disable HttpOnly flag in browser via ColdFusion - coldfusion

In our application, we use J2EE session variables for session management. We recently migrated from ColdFusion 9 to ColdFusion 2018. After migration, the logout functionality is not working. What we found is that, in ColdFusion 2018, the cookie JSESSIONID is not getting cleared from the browser because the HttpOnly flag has been set to true in the browser.
We tried to disable this HttpOnly flag in the browser in following ways,
By disabling HttpOnly flag and Global Script Protection in CF admin.
By modifying the jvm.config via CF admin by adding "-Dcoldfusion.sessioncookie.httponly=false".
But this way the HttpOnly flag is still showing as enabled in the browser. Because of this, the client-side script is not able to clear the cookie JSESSIONID and hence logout functionality is not working.
Is there any way, in CF2018, to disable the HttpOnly flag in the browser for the cookie JSESSIONID?.
Note:
In CF9, the HttpOnly flag is disabled in the browser for the cookie JSESSIONID.
We use the CF2018 enterprise edition (Trial Version, not yet expired).
Restarted CF services after updating the settings in CF admin.

You'll likely have to refactor your application to address a number of OWASP vulnerabilities that could not be handled by CF 9 out of the box. Depending on your audience, you should get a 3rd party to perform a security penetration test against your code base.
You're going to need to refactor your log out process. You shouldn't disable httpOnly on the jsessionid cookie, it's a prevention against Cross-Site Scripting attacks.
https://www.owasp.org/index.php/HttpOnly
According to the Microsoft Developer Network, HttpOnly is an
additional flag included in a Set-Cookie HTTP response header. Using
the HttpOnly flag when generating a cookie helps mitigate the risk of
client side script accessing the protected cookie (if the browser
supports it).
https://learn.microsoft.com/en-us/previous-versions//ms533046(v=vs.85)?redirectedfrom=MSDN
When using JEE session IDs, you need to add this to part of your logout process:
<cfset getPageContext().getSession().invalidate()>
Then redirect to another page like your login screen. This will delete the jsessionid cookie and actually invalidate the JEE session on the server.

Related

Problem with Samesite in Google Login Popup

In my project I use Google Login. This functionality stopped working few weeks ago. I run login with Google in iframe. It just closes the window and nothing happens. Inside dev tools there is the following warnings
A cookie associated with a cross-site resource at http://google.com/
was set without the SameSite attribute. It has been blocked, as
Chrome now only delivers cookies with cross-site requests if they are
set with SameSite=None and Secure. You can review cookies in
developer tools under Application>Storage>Cookies and see more details
at https://www.chromestatus.com/feature/5088147346030592 and
https://www.chromestatus.com/feature/5633521622188032.
A cookie associated with a cross-site resource at https://google.com/
was set without the SameSite attribute. It has been blocked, as
Chrome now only delivers cookies with cross-site requests if they are
set with SameSite=None and Secure. You can review cookies in
developer tools under Application>Storage>Cookies and see more details
at https://www.chromestatus.com/feature/5088147346030592 and
https://www.chromestatus.com/feature/5633521622188032.
A cookie associated with a cross-site resource at
https://accounts.google.com/ was set without the SameSite attribute.
It has been blocked, as Chrome now only delivers cookies with
cross-site requests if they are set with SameSite=None and Secure.
You can review cookies in developer tools under
Application>Storage>Cookies and see more details at
https://www.chromestatus.com/feature/5088147346030592 and
https://www.chromestatus.com/feature/5633521622188032.

Storing Access Token in httponly Cookie but user can still see it in Network tab of Chrome Dev Tools?

I am using django to create a python backend and am storing the user's access token and refresh token in httponly cookies so I can authenticate requests to my backend.
1) Is this the right way to do this?
2) I know that httponly prevents seeing the cookie using 'document.cookie', but you can still see the cookie by analyzing the network tab in Chrome Dev Tools. Is this fine because only the user can see it (not other people)? Or is this still bad?
I can't answer #1 authoritatively but it sounds fine to me. For #2, httponly is there to protect the cookie from being scraped by malicious code, not to keep the user from being able to find it in the developer tools. Even if it wasn't visible in the Network tab, it would be visible under Application (or Storage in Firefox). This makes sense, because the user should always be able to see (and delete) individual cookies, regardless of how the server defined them.

Setting httponly cookie with blazor

is there a way to set a httponly cookie with blazor server side?
Setting a non httponly one with js-interop is not a problem but in case of httponly it is obviously not possible this way.
Thanks in advance
Holger
It seems that HttpOnly cookies are not accepted with Blazor Server as they are with Blazor WASM.
One of the reasons I was interested in using HttpOnly cookies with Blazor Server was for passing authentication tokens from a Blazor App to some back-end in a secure fashion.
Fortunately, there is a secure alternative to HttpOnly cookies in Blazor Server that may assist you. This is called ASP.NET Core Protected Browser Storage. You can store what ever you want in local storage or session storage, but it will be encrypted so that only the server can decrypt and read the stored details. This reduces the potential risk of tampering with stored data. While this is technically different to HttpOnly cookies, it can be used as a solution to solve similar problems.
You can read more about it here: ASP.NET Core Protected Browser Storage

ember cookie vs server cookie

I am using Ember and Ember-simple-auth. This question is to clear my confusion related to cookies etc.
I have configured ember storage to Cookie.
My server is sending a cookie to be saved at client side. i.e
Set-Cookie: dejavu.session=WwwLQjdfOoNz_-bhyYpBLvzew7IUaJuu; Path=/; Expires=Mon, 28-May-2018 15:59:30 GMT
I have understanding that
browser automatically captures the cookie from set-cookie in header (mean it should be visible in dev tool)
browser automatically add this cookie in subsequent requests.
I don't need to do anything extra with Ember Simple Auth as server cookie is by default handled by browser.
Based on this understanding, in Chrome inspector I just see one cookie of ember-simple-auth and nothing else.
My questions are:
1- Should I see a separate cookie (the one sent from server) in dev tool along with Ember cookie (set by Ember simple Auth)? or my server cookie has to be embedded in Ember Cookie? I actually don't see server cookie on my dev tools so I am confused.
2- Is this right concept that ember cookie is storage for Ember but server cookie is the one that browser will capture and send in header in subsequent requests?
ok. I found the solution after spending alot of testing and exploration.
Answer to my both questions is:
There is a bug in chrome dev tools that doesn't show the cookie sent from server. We don't need to embed server cookie in ember cookie. Browser manages cookies itself. Only server has to send a cookie and then browser will manage it e.g discard it if it expires and then automatically add it to header of each subsequent requests to be sent via api. We can see the cookie as request is sent, in our dev tools 'Network' tab under request headers.
With session cookie and Ember-simple-auth we don't need to set authoriser in header (for adding cookie in header) as this will override the session cookie (that was set by browser).
So when using Ember-simple-auth and session authentication, correct flow is:
add addon
setup authenticator (follow github docs)
don't set authorizer (as told in docs)

Action after XSS successfully

Let say my site is vulnerable by xss.
What happend then.
Javascript nowaday cannot get the cookie (HttpOnly is marked 'true')
Could the attacker do something specific on my site then?
Thanks.
You are saying that your website is vulnerable to XSS and it enabled HttpOnly flag.
If the victim's browser supports HttpOnly flag then the attacker can't get cookie of victim as it is not accessible by malicious script but what if the victim's browser does not support HttpOnly flag? In this case, the browser ignores the HttpOnly flag and creates normal accessible cookie, so the attacker can get cookie.
HttpOnly flag does not prevent execution of malicious script, so the attacker can do much more things.
Ex. Key logger, redirecting user to malicious sites, injecting fake login forms, etc.