Mantis - Resin
Viewing Issue Advanced Details
6140 feature always 02-19-18 13:13 05-29-18 16:43
stbu  
ferg  
normal  
closed 4.0.55  
fixed  
none    
none 4.0.57  
0006140: Feature-Request: Possibility to add SameSite attribute to the Session Cookie?
TL;DR: A resin configuration option to append "; SameSite=Lax|Strict" to the Session cookie.


With current 4.x Version of Caucho Resin it's already possible to improve the security of Resin powered Hosts / Web-Apps.
For example:

* The 'Secure' Cookie attribute is set when using <ssl-session-cookie>

* This <ssl-session-cookie> also *can* be used to set a Name prefix such as '__Host-' or '__Secure-' e.g.: <ssl-session-cookie>__Host-SSLJSESSIONID</ssl-session-cookie>
  Advantages:
  __Host- prefix: Cookies with a name starting with __Host- must be set with the secure flag, must be from a secure page (HTTPS), must not have a domain specified (and therefore aren't sent to subdomains) and the path must be "/".

* And of course the <cookie-http-only/> to set the HttpOnly attribute and protect the Session Cookie from JavaScript access (e.g. to mitigate attacks against cross-site scripting (XSS)).


An upcoming standard, SameSite cookies, creates more secure cookies that are sent only on requests that originate from the same site that issued them. They are designed to prevent Cross-Site Request Forgery (CSRF) or at least make it more difficult.
[Quoting hardenize.com a nifty tool to perform an overall check for your domain]

It would be great if the Session Cookie in Resin could be configured to have the SameSite attribute with either value "Lax" or "Strict" or not at all when not configured at all.

I would suggest a Resin configuration attribute at the same level as <cookie-http-only> with two possible values:

<cookie-same-site>Lax</cookie-same-site> => resulting in appending "; SameSite=Lax" to the Session Cookie
or
<cookie-same-site>Strict</cookie-same-site> => resulting in appending "; SameSite=Strict" to the Session Cookie
- Reasons to adopt it:
https://scotthelme.co.uk/csrf-is-dead/ [^]
https://www.owasp.org/index.php/SameSite [^]

- Specification:
https://tools.ietf.org/html/draft-west-first-party-cookies-07 [^]
which is an update to RFC626 (HTTP State Management Mechanism / https://tools.ietf.org/html/rfc6265) [^] if approved

- Mozilla Developer Network:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie [^]

- Browser support for SameSite cookies (which is at almost 60 percent globally).
https://caniuse.com/#search=samesite [^]

Notes
(0006838)
ferg   
05-29-18 16:43   
server/01ek