Project

General

Profile

Bug #11159

JSESSION cookie should be "secure"

Added by François ARMAND 4 months ago. Updated 3 months ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Target version (plugin):
Severity:
User visibility:
Effort required:
Priority:
0

Description

It is a good practice to do so.

It should be done with:

<?xml version="1.0"  encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Get name="sessionHandler">
        <Get name="sessionManager">
            <Set name="secureCookies" type="boolean">true</Set>
        </Get>
    </Get>
</Configure>

But it does not seems to work, certainly because our link between jetty and apache is HTTP (not S). Or because there is a problem if we speciy several "Set" (there is one other for #11158)
See: https://stackoverflow.com/questions/3038223/how-to-get-jetty-to-send-jsessionid-cookies-with-the-secure-flag-when-using-a-se


Subtasks

Bug #11163: Enable mod header for apacheRejectedBenoît PECCATTE


Related issues

Related to Rudder - Bug #11160: We should not send Jetty version in header response Rejected

Associated revisions

History

#2 Updated by François ARMAND 4 months ago

  • Copied to Bug #11160: We should not send Jetty version in header response added

#3 Updated by François ARMAND 4 months ago

  • Copied to deleted (Bug #11160: We should not send Jetty version in header response)

#4 Updated by François ARMAND 4 months ago

Perhaps for both this one, httpOnly, and removing jetty header, the config could be done in apache with mod_header https://serverfault.com/questions/645964/httponly-and-secure-cookies-with-apache-mod-header-for-all-cookies

That would allows to put all that config on the same place, even if we have cookies from other app one day (like technique editor or whatever), and not be dependent of jetty (nor its version).

#5 Updated by François ARMAND 4 months ago

  • Status changed from New to In progress
  • Assignee set to François ARMAND

#6 Updated by François ARMAND 4 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Benoît PECCATTE
  • Pull Request set to https://github.com/Normation/rudder/pull/1704

#9 Updated by François ARMAND 4 months ago

  • Status changed from Pending technical review to Pending release

#10 Updated by François ARMAND 4 months ago

  • Related to Bug #11160: We should not send Jetty version in header response added

#11 Updated by Vincent MEMBRÉ 3 months ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 3.1.22, 4.1.6 and 4.2.0~beta3 which were released today.

#12 Updated by François ARMAND 3 months ago

  • Private changed from Yes to No

Removing the private status now that the release containing the fixes are available.

Also available in: Atom PDF