-
-
Notifications
You must be signed in to change notification settings - Fork 489
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
httpOnly flag in CookieCsrfTokenRepository configuration #6151
Comments
According to the following https://security.stackexchange.com/questions/175536/does-a-csrf-cookie-need-to-be-httponly The httpOnly option is not required on CSRF cookies. I'm guessing that it why it was set to false. |
My understanding from the documents I have read is that the httpOnly cookie is not required for the CSRF cookie but it does not indicate that it is not required for the other cookies. So I suspect that it should be enabled for other cookies. Based on the following, I can see that the httpOnly flag is not set to true for the serverTime and SessionExpiry time and I think it should be set for those cookies. This test was done looking at the main search page from https://vanilla.geocat.net/geonetwork/srv/eng/catalog.search#/home (3.12.2.snapshot) |
@ianwallen, in core-geonetwork/web/src/main/webResources/WEB-INF/web.xml Lines 475 to 482 in 4b57bd6
Related to CSRF cookies, probably is less restrictive due to old Jeeves services still in use. I guess Spring MVC services should manage it automatically, but Jeeves services probably require to inject the CSRF token in the javascript code, but to check. |
The cookies with path core-geonetwork/core/src/main/java/org/geonetwork/http/SessionTimeoutCookieFilter.java Lines 67 to 68 in 4b57bd6
core-geonetwork/core/src/main/java/org/geonetwork/http/SessionTimeoutCookieFilter.java Lines 80 to 86 in 4b57bd6
I'll check if setting the application path solves the issue. |
@josegar74 @ianwallen there are other places where cookies are set without the secure flag. Should they be changed to secure too? It also has the
|
@juanluisrp I didn't see that cookie in the browser, but sure, should be updated. Please check to make a PR with this change. |
The CookieCsrfTokenRepository was developed in this commit
8ed2a12
The httpOnly flag was set to false which is less restrictive. Here is the configuration
core-geonetwork/web/src/main/webapp/WEB-INF/config-security/config-security-core.xml
Lines 361 to 364 in 368661c
Just wonder what is the logic behind why it's been set to false.
The text was updated successfully, but these errors were encountered: