Currently Being Moderated

How to increase security by marking cookies as 'secure'

Cookies that are not marked as 'secure' can be sent over untrusted public networks in clear text and using unsecured protocols (e.g., HTTP). In some contexts, this can be a security issue. In contrast, when cookies are marked as 'secure', web browsers can send them only via secure network protocols (e.g., HTTPS). This article describes how to configure the xMatters web server or fronting server to use secure cookies.

Issue Background

When using cookie-based session tracking, the jsessionid is contained in the cookie as a key value pair. Once sent to the client (browser), it passes on subsequent requests so that the user session can be identified. However, cookies are stored in cleartext and anyone with access to the computer can easily view these key value pairs. It is also important to note that the HTTP protocol does not encrypt the headers in any way; if the connection is not SSL, then it will not be protected.

Resolution

When the secure option is used with a cookie, the browser (or other HTTP clients) will only send the cookie over SSL connections. This means that the cookie will not be available to any part of the site that is not secure. As a result, it much less likely that a user will accidentally send the cookie across as cleartext.

The webserver/contexts/alarmpoint.xml file is used to enable cookies for session management (see the xMatters (alarmpoint) engine installation and administration guide for details). Once cookies have been enabled for session management, a system property can be added to secure cookies, as described below. Note that the instructions vary depending on whether you are using a fronting server.

xMatters SSL (no fronting server)

Follow the steps in this section if you are using the SSL configuration in xMatters (i.e., instead of using a fronting server).

To mark all xMatters cookies as secure, follow the appropriate steps for your operating system:
Windows
  1. Open the common/webserver-start.conf file in a text editor and add the following line after the jetty.use.cookies property:
-Djetty.secure.cookies=true
  1. Save the file and restart the web server.
Unix
  1. Open the webserver.sh file in a text editor and locate the following line:
USE_COOKIES="-Djetty.use.cookies=true"
  1. Modify the line to the following:
USE_COOKIES="-Djetty.use.cookies=true -Djetty.secure.cookies=true"
  1. Save the file and restart the web server.

Apache httpd 2.2 fronting server

If you are using the Apache 2.2 (or higher) Web Server as a secure fronting server, securing cookies requires Apache configuration (i.e., because xMatters is not aware of the the proxy server). Conversely, this means that there is no applicable configuration for xMatters in this situation.

NOTE: If you want to use a fronting server and you need to secure cookies, it is strongly recommended that you use Apache httpd 2.2 (or higher) with xMatters (there is currently no solution on IIS).

To mark all xMatters cookies as secure:
  1. When using cookie-based session tracking, and you have other applications running on your Apache HTTP server under a different path (or your Apache HTTP server also proxies other applications under a different path), you must add the following line to those indicated in the sections below:
ProxyPassReverseCookiePath / /alarmpoint/
  1. To use the mod_header module to add the secure attribute, open the httpd.conf file in a text editor and add the mod_header to the module list at the top of the file:
LoadModule headers_module modules/mod_headers.so
  1. Add the Header directive after the ProxyPassReverseCookiePath directive:
# Fix the cookie path and secure it
 Header edit Set-Cookie "^(.*)" $1;Secure

Further information

xMatters internal reference: DTN-2304, DTN-2306

Comments

Delete Document

Are you sure you want to delete this document?

Actions

More Like This

Retrieving data ...