New Message Search Latest Redo
Web Connection
Cookie Does Not Contain The "secure" Attribute
Gravatar is a globally recognized avatar based on your email address. Cookie Does Not Contain The "secure" Attribute
  Stein Goering
  All
6DP0LLA05
  Jul 14, 2022 @ 10:04am
Reply

This is another complaint we get from customers running security scans against our app.

Is there a way to ensure that cookies have the secure flag set by default? Or do I just need to go through the source looking for AddCookie instances? I'll admit that I haven't paid much attention to WC cookie creation - mostly relying on the framework handle it.

--stein

Gravatar is a globally recognized avatar based on your email address. re: Cookie Does Not Contain The "secure" Attribute
  Rick Strahl
  Stein Goering
6DP0P2XZU
  Jul 14, 2022 @ 11:42am
Reply

The secure flag is not set by default but the options to do so are on the various methods. The default generated projects use secure Session cookies - and you can manually set this in one place by adding the secure parameter to the InitSession() call.

For the explicit AddCookie() calls you have you go through and explicitly add the secure header.

Can't really change the default because that can potentially affect behavior of existing applications.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Cookie Does Not Contain The "secure" Attribute
  Stein Goering
  Rick Strahl
6EU17E1LD
  Aug 24, 2022 @ 08:14pm
Reply

Since I need to revisit all the AddCookie instances in my code, I thought I'd refactor everything to use wwCookie as recommended in the docs.

I want something equivalent to this (but with the secure flag set):

    loHeader = CREATE("wwHTTPHeader")  
    loHeader.DefaultHeader()
    loHeader.AddCookie("WWSESSIONID",cSessionID)
    Response.ContentTypeHeader(loHeader)
    RELEASE loHeader

Would this work?

    loCookie = CREATEOBJECT("wwCookie")
    loCookie.CookieName = "WWSESSIONID"
    loCookie.Value = cSessionID
    loCookie.Secure = .T.
    Response.AddCookie(loCookie)

--sg

Gravatar is a globally recognized avatar based on your email address. re: Cookie Does Not Contain The "secure" Attribute
  Rick Strahl
  Stein Goering
6EV0MKL52
  Aug 25, 2022 @ 10:31am
Reply

Yes that code is the way to do it. I would create function or method somewhere for setting cookies in one place so you don't have to write this code each time.

FUNCTION GetApplicationCookie()
   LOCAL loCookie
   loCookie = CREATEOBJECT("wwCookie")
   loCookie.CookieName = "WWSESSIONID"
   loCookie.Value = cSessionID
   loCookie.HttpOnly = .T.
   loCookie.Secure = .T.
   RETURN loCookie
ENDFUNC

Note that if you set the cookie to secure you have to use HTTPS - this might affect your development setup which now also has to run as https in order to have the cookie work. If that's the case you might want to selectively add a configuration flag around the settings to determine whether the cookie should be secure.

Or - use HTTPS locally - IIS Express and the Web Connection Web Server both can run HTTPS locally, which is not a bad idea.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Cookie Does Not Contain The "secure" Attribute
  Stein Goering
  Rick Strahl
6EW196117
  Aug 26, 2022 @ 09:04pm
Reply

Thanks for the suggestions and the heads-up on setting the secure flag when running the app locally.

--sg

© 1996-2025