Jump to content

Cookie security

lcolombo

By lcolombo
in General

 Share

Recommended Posts

lcolombo Member

lcolombo

Posted
Posted

A client performed a penetration test on our application (payroll application) and told us that the cookie must have the sameSite and secure attributes configured.

How can I configure the sameSite and secure attributes in the cookie cookiesession1 ?

image.thumb.png.89fd592d7598afff2a71395ca1a71270.png

Regards

Link to comment
Share on other sites
Pep Active Member

Pep

Posted
Posted (edited)

maybe this can help you to set a cookie secure: 

UniGUIApplication.UniApplication.Cookies.SetCookie(
  	const ACookieName: string,
	const AValue: string, 
	AExpires: TDateTime = 0,
	ASecure: Boolean = False,                <-- Set to True
	AHTTPOnly: Boolean = False, 
	const APath: string = '/'
)

 

Edited by Pep
syntax error
  • Like 1
Link to comment
Share on other sites
Sherzod Advanced Member

Sherzod

Posted
Posted

Secure
Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistent to man-in-the-middle attacks.

Note: Do not assume that Secure prevents all access to sensitive information in cookies (session keys, login details, etc.). Cookies with this attribute can still be read/modified with access to the client's hard disk, or from JavaScript if the HttpOnly cookie attribute is not set.

Note: Insecure sites (http:) can't set cookies with the Secure attribute (since Chrome 52 and Firefox 52). For Firefox, the https: requirements are ignored when the Secure attribute is set by localhost (since Firefox 75).

  • Upvote 1
Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
Posted
4 minutes ago, Sherzod said:

Secure
Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistent to man-in-the-middle attacks.

Note: Do not assume that Secure prevents all access to sensitive information in cookies (session keys, login details, etc.). Cookies with this attribute can still be read/modified with access to the client's hard disk, or from JavaScript if the HttpOnly cookie attribute is not set.

Note: Insecure sites (http:) can't set cookies with the Secure attribute (since Chrome 52 and Firefox 52). For Firefox, the https: requirements are ignored when the Secure attribute is set by localhost (since Firefox 75).

@Sherzod,

But what is correct way to set this attributes on session cookie ?

Link to comment
Share on other sites
lcolombo Member

lcolombo

Posted
  • Author
Posted
2 hours ago, irigsoft said:

I tried the following approach and it didn't work. Any ideas ?

https://www.petefreitag.com/item/850.cfm 


<rewrite>
            <outboundRules>
                <rule name="AddSameSiteCookieFlag">
                    <match serverVariable="RESPONSE_Set-Cookie" pattern="^(.*)(cookiesession1)(=.*)$" />
                    <action type="Rewrite" value="{R:0};SameSite=lax" />
                </rule>
            </outboundRules>
</rewrite>

Regads,

2 hours ago, irigsoft said:

 

 

Link to comment
Share on other sites
lcolombo Member

lcolombo

Posted
  • Author
Posted
49 minutes ago, irigsoft said:

@lcolombo,

1. do You use https ?

2. do You use IIS or StandAlone, or else ?

3. Where You write this rule ?

1. Yes

2. IIS

3. In web.config

The cookiesession1 cookie is a "request" cookie and not a response cookie. Could this be the problem why the rewrite does not work?

image.png.b08ae6b14b94a3b2c706dd86d22da4bb.png

Regards,

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
Posted
On 3/11/2021 at 6:19 PM, lcolombo said:

1. Yes

2. IIS

3. In web.config

The cookiesession1 cookie is a "request" cookie and not a response cookie. Could this be the problem why the rewrite does not work?

image.png.b08ae6b14b94a3b2c706dd86d22da4bb.png

Regards,

I am sorry, can't help.

I make this for me: 

procedure TUniMainModule.UniGUIMainModuleCreate(Sender: TObject);
begin
UniGUIApplication.UniApplication.Cookies.SetCookie('UNI_GUI_SESSION_ID',UniSession.UniApplication.Cookies.GetCookie ('UNI_GUI_SESSION_ID'),0,True,True,'/');

end;

Link to comment
Share on other sites
  • 3 years later...
irigsoft Advanced Member

irigsoft

Posted
Posted
On 3/12/2021 at 11:06 PM, lcolombo said:

@irigsoft,

Thank you very much, you helped me understand the problem and how the unigui session cookie works.

@farahad,

we need to be able to make the session cookie more secure to be able to pass the security audits of our clients.

 

Regards,

Hi, 

I'm going to add a new way to protect cookies but I can't test it, if you can confirm my code is working I'd appreciate it

add to MainForm.Script this:

function getCookie(name) {
  const value = `; ${document.cookie}`;
  const parts = value.split(`; ${name}=`);
  if (parts.length === 2) return parts.pop().split(';').shift();
};//function setCookie () {
      var keyValue = getCookie ('UNI_GUI_SESSION_ID');
      //alert (keyValue);//setCookie(key, keyValue, '-1');
      document.cookie = 'UNI_GUI_SESSION_ID=' + keyValue + ';Secure=true;SameSite=Strict';

     keyValue = getCookie ('UNI_GUI_SESSION_ID');

      document.cookie = 'UNI_GUI_SESSION_ID=' + keyValue + ';HttpOnly=true';
//};

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...