How to change attributes (Secure = True, HTTPOnly = True, Name = SomeNewName) on the "UNI_GUI_SESSION_ID" cookie.

[irigsoft]

Hi, I am trying to change some session Cookie values "UNI_GUI_SESSION_ID" such as Secure, HttOnly and others as follows but I am not succeeding.

What am I doing wrong?

  if ARequestInfo.Cookies.GetCookieIndex ('UNI_GUI_SESSION_ID') > 0 then begin
      ARequestInfo.Cookies.BeginUpdate;
      ARequestInfo.Cookies.Cookies [ARequestInfo.Cookies.GetCookieIndex ('UNI_GUI_SESSION_ID')].Secure := True;
      ARequestInfo.Cookies.Cookies [ARequestInfo.Cookies.GetCookieIndex ('UNI_GUI_SESSION_ID')].HttpOnly := True;
      ARequestInfo.Cookies.EndUpdate;
  end;
 

[Sherzod]

Hello,

Why do you want to change exactly here?

BTW, are you using https?

[irigsoft]

6 minutes ago, Sherzod said:

Hello,

Why do you want to change exactly here?

BTW, are you using https?

Hello, I try to change some attributes on system cookies by security reason ( I use unigui session id in some code in my projects and want to disable it to external access)

BTW, are you using https? - At this point, No. I know "Secure" is impossible without https, but I tried setting other attributes as well

[andyhill]

I stopped using cookies a long time ago, why not use local storage with your own encryption.

[irigsoft]

55 minutes ago, andyhill said:

I stopped using cookies a long time ago, why not use local storage with your own encryption.

hi, I'm using it already, thanks, but I saw that it's not possible to apply the attributes to this cookie, and I just wanted to know if I'm doing something wrong.

[irigsoft]

Hi, a new questions about this cookie

1. Is it possible to set HTTPOnly = True?

2. Is it possible to change name on the "UNI_GUI_SESSION_ID" cookie ? 

because: "Configuring a cookie with the HTTPOnly flag forces the web browser to have this cookie processed only by the server, and any attempt to access the cookie from client-based code or scripts is strictly forbidden. This protects against several type of attacks, including CSRF."

[Sherzod]

4 hours ago, irigsoft said:

Is it possible to set HTTPOnly = True?

?

[irigsoft]

17 minutes ago, Sherzod said:

?

this not work for me.

http and stand alone app, but httponly cannot be changed, by this way

[irigsoft]

On 3/31/2024 at 7:45 PM, Sherzod said:

?

Hi, 

I'm going to add a new way to protect cookies, but I can't test it, if someone can confirm my code is working I'd appreciate it.

add to MainForm.Script this:

function getCookie(name) {
  const value = `; ${document.cookie}`;
  const parts = value.split(`; ${name}=`);
  if (parts.length === 2) return parts.pop().split(';').shift();
};

//function setCookie () {
      var keyValue = getCookie ('UNI_GUI_SESSION_ID');
      document.cookie = 'UNI_GUI_SESSION_ID=' + keyValue + ';Secure=true;SameSite=Strict';

     keyValue = getCookie ('UNI_GUI_SESSION_ID');

      document.cookie = 'UNI_GUI_SESSION_ID=' + keyValue + ';HttpOnly=true';
//};

[Hayri ASLAN]

Why you are not changing it from UniGUIApplication.pas, line 1965 until we check it?

[irigsoft]

3 minutes ago, Hayri ASLAN said:

Why you are not changing it from UniGUIApplication.pas, line 1965 until we check it?

Hi, 

I don't have Source Code.

[Hayri ASLAN]

1 minute ago, irigsoft said:

Hi, 

I don't have Source Code.

What build are you using?

[irigsoft]

4 minutes ago, Hayri ASLAN said:

What build are you using?

Professional - 1.9.1551