| Anonymous | Login | Signup for a new account | 04-18-2024 16:57 PDT |
| Main | My View | View Issues | Change Log | Docs |
| Viewing Issue Advanced Details [ Jump to Notes ] | [ View Simple ] [ Issue History ] [ Print ] | ||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
| 0006140 | [Resin] | feature | always | 02-19-18 13:13 | 05-29-18 16:43 | ||||
| Reporter | stbu | View Status | public | ||||||
| Assigned To | ferg | ||||||||
| Priority | normal | Resolution | fixed | Platform | |||||
| Status | closed | OS | |||||||
| Projection | none | OS Version | |||||||
| ETA | none | Fixed in Version | 4.0.57 | Product Version | 4.0.55 | ||||
| Product Build | |||||||||
| Summary | 0006140: Feature-Request: Possibility to add SameSite attribute to the Session Cookie? | ||||||||
| Description |
TL;DR: A resin configuration option to append "; SameSite=Lax|Strict" to the Session cookie. With current 4.x Version of Caucho Resin it's already possible to improve the security of Resin powered Hosts / Web-Apps. For example: * The 'Secure' Cookie attribute is set when using <ssl-session-cookie> * This <ssl-session-cookie> also *can* be used to set a Name prefix such as '__Host-' or '__Secure-' e.g.: <ssl-session-cookie>__Host-SSLJSESSIONID</ssl-session-cookie> Advantages: __Host- prefix: Cookies with a name starting with __Host- must be set with the secure flag, must be from a secure page (HTTPS), must not have a domain specified (and therefore aren't sent to subdomains) and the path must be "/". * And of course the <cookie-http-only/> to set the HttpOnly attribute and protect the Session Cookie from JavaScript access (e.g. to mitigate attacks against cross-site scripting (XSS)). An upcoming standard, SameSite cookies, creates more secure cookies that are sent only on requests that originate from the same site that issued them. They are designed to prevent Cross-Site Request Forgery (CSRF) or at least make it more difficult. [Quoting hardenize.com a nifty tool to perform an overall check for your domain] It would be great if the Session Cookie in Resin could be configured to have the SameSite attribute with either value "Lax" or "Strict" or not at all when not configured at all. I would suggest a Resin configuration attribute at the same level as <cookie-http-only> with two possible values: <cookie-same-site>Lax</cookie-same-site> => resulting in appending "; SameSite=Lax" to the Session Cookie or <cookie-same-site>Strict</cookie-same-site> => resulting in appending "; SameSite=Strict" to the Session Cookie |
||||||||
| Steps To Reproduce | |||||||||
| Additional Information |
- Reasons to adopt it: https://scotthelme.co.uk/csrf-is-dead/ [^] https://www.owasp.org/index.php/SameSite [^] - Specification: https://tools.ietf.org/html/draft-west-first-party-cookies-07 [^] which is an update to RFC626 (HTTP State Management Mechanism / https://tools.ietf.org/html/rfc6265) [^] if approved - Mozilla Developer Network: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie [^] - Browser support for SameSite cookies (which is at almost 60 percent globally). https://caniuse.com/#search=samesite [^] |
||||||||
| Attached Files | |||||||||
|
|
|||||||||
 Relationships |
|
|
Notes |
|
|
(0006838) ferg 05-29-18 16:43 |
server/01ek |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 02-19-18 13:13 | stbu | New Issue | |
| 02-19-18 13:13 | stbu | Issue Monitored: stbu | |
| 05-29-18 16:43 | ferg | Note Added: 0006838 | |
| 05-29-18 16:43 | ferg | Assigned To | => ferg |
| 05-29-18 16:43 | ferg | Status | new => closed |
| 05-29-18 16:43 | ferg | Resolution | open => fixed |
| 05-29-18 16:43 | ferg | Fixed in Version | => 4.0.57 |
| Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
30 total queries executed. 26 unique queries executed. |  |
