VERIFIED SOLUTION i

EngageOne - security associated with the handling of cookies being issued by the web application

Product Feature: Application Server Configuration
 

Issue

The security associated with the handling of cookies being issued by the web application deemed as weak.

The lack of these attributes will prevent a browser from protecting sensitive cookie values like session tokens. This exposes these tokens to theft and may lead to session hijacking.

Cause

SessionCookie security not set

Resolution

UPDATED: April 20, 2017
Customers of EngageOne 3.x could be using earlier versions of application servers
* For JBoss 5.x, add the following elements under <Context> in the file, <JBoss>\server\<myJBossServerInstance>\deploy\jbossweb.sar\context.xml.
<SessionCookie secure="true" httpOnly="true" />
For example,
{code:xml}
<Context cookies="true" crossContext="true">
 <SessionCookie secure="true" httpOnly="true" />
 <Manager pathname="SESSIONS.ser" />
 <InstanceListener>org.jboss.web.tomcat.security.RunAsListener</InstanceListener>
</Context>
{code}
 

Setting the Secure and HTTPOnly flags on the JSESSIONID cookie in WebSphere Application Server versions v7.0 and v.8.x

WebSphere Application Server v8.0 and Higher:

  • The HTTPOnly flag on the JSESSIONID is enabled by default. Check and make sure the option "Set session cookies to HTTPOnly to help prevent cross-site scripting attacks" is selected.
  • The Secure flag on the JSESSIONID is not enabled by default. To add the Secure flag to the JSESSIONID, make sure the option "Restrict cookies to HTTPS sessions" is selected.
  • In the administrative console: click on Application servers > servername > Session management > Enable cookies
User-added image

WebSphere Application Server v7.0:

HTTPOnly flag

  • The HTTPOnly setting on the JSESSIONID cookie is a new function that was added in fixpack 7.0.0.9. You need to be at fix pack 7.0.0.9 and higher in order to configure the Webcontainer custom property "com.ibm.ws.webcontainer.HTTPOnlyCookies" for adding the HTTPOnly flag to the JSESSIONID.
  • In the administrative console, click on Application servers > servername > Web Container Settings > Web container > Custom properties, click on New...
User-added image

Secure flag

  • To set the Secure flag on the JSESSIONID cookie: Go to the Session management panel below and make sure the option "Restrict cookies to HTTPS sessions" is checked.
  • In the administrative console: click on Application servers > servername > Session management > Enable cookies
User-added image