lcolombo Posted March 11, 2021 Share Posted March 11, 2021 A client performed a penetration test on our application (payroll application) and told us that the cookie must have the sameSite and secure attributes configured. How can I configure the sameSite and secure attributes in the cookie cookiesession1 ? Regards Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 11, 2021 Share Posted March 11, 2021 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite Set-Cookie: cookiesession1=0F1DB........YH2F..; SameSite=None; Secure Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 11, 2021 Share Posted March 11, 2021 Quote Link to comment Share on other sites More sharing options...
Pep Posted March 11, 2021 Share Posted March 11, 2021 (edited) maybe this can help you to set a cookie secure: UniGUIApplication.UniApplication.Cookies.SetCookie( const ACookieName: string, const AValue: string, AExpires: TDateTime = 0, ASecure: Boolean = False, <-- Set to True AHTTPOnly: Boolean = False, const APath: string = '/' ) Edited March 11, 2021 by Pep syntax error 1 Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 11, 2021 Share Posted March 11, 2021 or this: procedure TUniMainModule.UniGUIMainModuleCreate(Sender: TObject); begin UniSession.UniApplication.Cookies.SetCookie('UNI_GUI_SESSION_ID',UniSession.UniApplication.Cookies.GetCookie('UNI_GUI_SESSION_ID'),0,True,True,'/'); end Quote Link to comment Share on other sites More sharing options...
Sherzod Posted March 11, 2021 Share Posted March 11, 2021 Secure Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistent to man-in-the-middle attacks. Note: Do not assume that Secure prevents all access to sensitive information in cookies (session keys, login details, etc.). Cookies with this attribute can still be read/modified with access to the client's hard disk, or from JavaScript if the HttpOnly cookie attribute is not set. Note: Insecure sites (http:) can't set cookies with the Secure attribute (since Chrome 52 and Firefox 52). For Firefox, the https: requirements are ignored when the Secure attribute is set by localhost (since Firefox 75). 1 Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 11, 2021 Share Posted March 11, 2021 4 minutes ago, Sherzod said: Secure Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistent to man-in-the-middle attacks. Note: Do not assume that Secure prevents all access to sensitive information in cookies (session keys, login details, etc.). Cookies with this attribute can still be read/modified with access to the client's hard disk, or from JavaScript if the HttpOnly cookie attribute is not set. Note: Insecure sites (http:) can't set cookies with the Secure attribute (since Chrome 52 and Firefox 52). For Firefox, the https: requirements are ignored when the Secure attribute is set by localhost (since Firefox 75). @Sherzod, But what is correct way to set this attributes on session cookie ? Quote Link to comment Share on other sites More sharing options...
lcolombo Posted March 11, 2021 Author Share Posted March 11, 2021 2 hours ago, irigsoft said: I tried the following approach and it didn't work. Any ideas ? https://www.petefreitag.com/item/850.cfm <rewrite> <outboundRules> <rule name="AddSameSiteCookieFlag"> <match serverVariable="RESPONSE_Set-Cookie" pattern="^(.*)(cookiesession1)(=.*)$" /> <action type="Rewrite" value="{R:0};SameSite=lax" /> </rule> </outboundRules> </rewrite> Regads, 2 hours ago, irigsoft said: Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 11, 2021 Share Posted March 11, 2021 @lcolombo, 1. do You use https ? 2. do You use IIS or StandAlone, or else ? 3. Where You write this rule ? Quote Link to comment Share on other sites More sharing options...
lcolombo Posted March 11, 2021 Author Share Posted March 11, 2021 49 minutes ago, irigsoft said: @lcolombo, 1. do You use https ? 2. do You use IIS or StandAlone, or else ? 3. Where You write this rule ? 1. Yes 2. IIS 3. In web.config The cookiesession1 cookie is a "request" cookie and not a response cookie. Could this be the problem why the rewrite does not work? Regards, Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 12, 2021 Share Posted March 12, 2021 On 3/11/2021 at 6:19 PM, lcolombo said: 1. Yes 2. IIS 3. In web.config The cookiesession1 cookie is a "request" cookie and not a response cookie. Could this be the problem why the rewrite does not work? Regards, I am sorry, can't help. I make this for me: procedure TUniMainModule.UniGUIMainModuleCreate(Sender: TObject); begin UniGUIApplication.UniApplication.Cookies.SetCookie('UNI_GUI_SESSION_ID',UniSession.UniApplication.Cookies.GetCookie ('UNI_GUI_SESSION_ID'),0,True,True,'/'); end; Quote Link to comment Share on other sites More sharing options...
lcolombo Posted March 12, 2021 Author Share Posted March 12, 2021 @irigsoft, Thank you very much, you helped me understand the problem and how the unigui session cookie works. @farahad, we need to be able to make the session cookie more secure to be able to pass the security audits of our clients. Regards, Quote Link to comment Share on other sites More sharing options...
irigsoft Posted April 2 Share Posted April 2 On 3/12/2021 at 11:06 PM, lcolombo said: @irigsoft, Thank you very much, you helped me understand the problem and how the unigui session cookie works. @farahad, we need to be able to make the session cookie more secure to be able to pass the security audits of our clients. Regards, Hi, I'm going to add a new way to protect cookies but I can't test it, if you can confirm my code is working I'd appreciate it add to MainForm.Script this: function getCookie(name) { const value = `; ${document.cookie}`; const parts = value.split(`; ${name}=`); if (parts.length === 2) return parts.pop().split(';').shift(); };//function setCookie () { var keyValue = getCookie ('UNI_GUI_SESSION_ID'); //alert (keyValue);//setCookie(key, keyValue, '-1'); document.cookie = 'UNI_GUI_SESSION_ID=' + keyValue + ';Secure=true;SameSite=Strict'; keyValue = getCookie ('UNI_GUI_SESSION_ID'); document.cookie = 'UNI_GUI_SESSION_ID=' + keyValue + ';HttpOnly=true'; //}; Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.