Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support JSON Property for HTTPOnly #412

Closed
nynymike opened this issue Dec 22, 2016 · 0 comments
Closed

Support JSON Property for HTTPOnly #412

nynymike opened this issue Dec 22, 2016 · 0 comments
Assignees
@qbert2k
Labels
enhancement libs update, re-factroring, etc.
Milestone
CE 3.0.0

Comments

@nynymike
Copy link
Contributor

Using HTTPOnly would mitigate the risk of the session being stolen. See: https://www.owasp.org/index.php/HttpOnly

What is the impact of removing this feature? Would it just disable SessionManagement? If the customer does not use Session Mgt, they may not care, and may prefer to use HTTPOnly. In this case, it would be better to maintain a JSON property that made this flag configurable.

Customer commented:

> The cookie Session_state is served with httponly=false which
> is a potential security risk. I found in the code of
> SessionStateService.java a comment stating it's not possible to set
> this to true due to the fact it is read by javascript.
@nynymike nynymike added enhancement libs update, re-factroring, etc. Low priority labels Dec 22, 2016
@nynymike nynymike added this to the CE 3.0.0 milestone Dec 22, 2016
qbert2k added a commit that referenced this issue Dec 29, 2016
@qbert2k
oxAuth #412
3ea1353 
Support JSON Property for HTTPOnly

To enable it, set sessionStateHttpOnly: true in oxAuth config.

Note that SessionManagement will not work.
See http://openid.net/specs/openid-connect-session-1_0.html

Note that your browser should not allow a client-side script to access the session_state cookie. Unfortunately, since the attribute is relatively new, several browsers may neglect to handle the new attribute properly.
See https://www.owasp.org/index.php/HttpOnly
qbert2k added a commit that referenced this issue Dec 29, 2016
@qbert2k
Merge pull request #421 from GluuFederation/HttpOnly-session_state
6a65a4a 
oxAuth #412
@qbert2k qbert2k closed this as completed Dec 30, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@qbert2k qbert2k

Labels
enhancement libs update, re-factroring, etc.
Projects
None yet
Milestone
CE 3.0.0
Development

No branches or pull requests
2 participants
@qbert2k @nynymike