Mantis Bugtracker
  

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0006140 [Resin] feature always 02-19-18 13:13 05-01-18 16:43
Reporter stbu View Status public  
Assigned To ferg
Priority normal Resolution fixed  
Status closed   Product Version 4.0.55
Summary 0006140: Feature-Request: Possibility to add SameSite attribute to the Session Cookie?
Description TL;DR: A resin configuration option to append "; SameSite=Lax|Strict" to the Session cookie.


With current 4.x Version of Caucho Resin it's already possible to improve the security of Resin powered Hosts / Web-Apps.
For example:

* The 'Secure' Cookie attribute is set when using <ssl-session-cookie>

* This <ssl-session-cookie> also *can* be used to set a Name prefix such as '__Host-' or '__Secure-' e.g.: <ssl-session-cookie>__Host-SSLJSESSIONID</ssl-session-cookie>
  Advantages:
  __Host- prefix: Cookies with a name starting with __Host- must be set with the secure flag, must be from a secure page (HTTPS), must not have a domain specified (and therefore aren't sent to subdomains) and the path must be "/".

* And of course the <cookie-http-only/> to set the HttpOnly attribute and protect the Session Cookie from JavaScript access (e.g. to mitigate attacks against cross-site scripting (XSS)).


An upcoming standard, SameSite cookies, creates more secure cookies that are sent only on requests that originate from the same site that issued them. They are designed to prevent Cross-Site Request Forgery (CSRF) or at least make it more difficult.
[Quoting hardenize.com a nifty tool to perform an overall check for your domain]

It would be great if the Session Cookie in Resin could be configured to have the SameSite attribute with either value "Lax" or "Strict" or not at all when not configured at all.

I would suggest a Resin configuration attribute at the same level as <cookie-http-only> with two possible values:

<cookie-same-site>Lax</cookie-same-site> => resulting in appending "; SameSite=Lax" to the Session Cookie
or
<cookie-same-site>Strict</cookie-same-site> => resulting in appending "; SameSite=Strict" to the Session Cookie
Additional Information - Reasons to adopt it:
https://scotthelme.co.uk/csrf-is-dead/ [^]
https://www.owasp.org/index.php/SameSite [^]

- Specification:
https://tools.ietf.org/html/draft-west-first-party-cookies-07 [^]
which is an update to RFC626 (HTTP State Management Mechanism / https://tools.ietf.org/html/rfc6265) [^] if approved

- Mozilla Developer Network:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie [^]

- Browser support for SameSite cookies (which is at almost 60 percent globally).
https://caniuse.com/#search=samesite [^]
Attached Files

- Relationships

- Notes
(0006838)
ferg
05-01-18 16:43

server/01ek
 

- Issue History
Date Modified Username Field Change
02-19-18 13:13 stbu New Issue
02-19-18 13:13 stbu Issue Monitored: stbu
05-01-18 16:43 ferg Note Added: 0006838
05-01-18 16:43 ferg Assigned To  => ferg
05-01-18 16:43 ferg Status new => closed
05-01-18 16:43 ferg Resolution open => fixed
05-01-18 16:43 ferg Fixed in Version  => 4.0.57


Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
30 total queries executed.
26 unique queries executed.
Powered by Mantis Bugtracker