How to Implement HTTPOnly and Secure Cookie in Web Servers.
Session cookies are often seen as one of the biggest problems for security and privacy with HTTP, yet oftentimes, it’s necessary to utilize it to maintain state in modern web applications. By default, it is insecure and vulnerable to be intercepted by an authorized party. Cookies typically store session identifiers that may offer full access to an account, therefore if a cookie is intercepted, a session can be hijacked by someone who is not the real user but pretending as that user.
For this reason, it’s very important to set up the required settings to make cookies more secure and this can be achieved by paying attention to below two things :
1. HttpOnly Flag
The first flag we need to set up is the HttpOnly flag. By default, when there’s no restriction in place, cookies can be transferred not only by HTTP, but any JavaScript files loaded on a page can also access the cookies. This ability can be dangerous because it makes the page vulnerable to cross-site scripting (XSS) attack.
The only way to restrict this is by setting the HttpOnly flag, which means the only way cookies are sent is via an HTTP connection, not directly through other means (i.e., JavaScript).
2. Secure Flag
The second flag we need to pay attention to is the Secure flag. This flag highlights the second issue that by default cookies are always sent on both HTTP and HTTPS requests. A malicious attacker who can’t see encrypted traffic with HTTPS connection can easily switch to HTTP connection and access the same cookie because it is not encrypted. Therefore, we need to set the Secure flag to ensure that the cookie is encrypted when it’s created.
By right, those settings should be managed within the application code. However, due to developers’ unawareness, ITOPS may have to force the settings on the respective web servers by following one of below procedures.
Implementation Procedure in Apache
- Ensure you have
mod_headers.soenabled in Apache HTTP server - Add following entry in httpd.conf
Headeredit Set-Cookie^(.*)$ $1;HttpOnly;Secure;SameSite=None - Restart Apache HTTP server to test
Note: Header edit is not compatible with lower than Apache 2.2.4 version.
- You can use the following to set the HttpOnly and Secure flag in lower than 2.2.4 version.
Headerset Set-CookieHttpOnly;Secure;SameSite=None
Implementation Procedure in Tomcat
Implement HttpOnly & Secure flag in Tomcat 6.x
- Log in to the server
- Go to Tomcat installation path and then conf folder
- Open
context.xmlusing an editor and updateContextsection as belowuseHttpOnly="true"
Next, adding a secure flag.
- Open
server.xmland add below inConnector portsectionsecure="true" - Restart Tomcat server to test the application
Implementing in Tomcat 7.x/8.x/9.x
- Go to Tomcat >> conf folder
- Open web.xml and add below in session-config section
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>- Save the file and restart Tomcat to test it.
Implementation Procedure in IIS
Enable HttpOnly Flag in IIS
- Edit the web.config file of your web application and add the following:
<system.web>
.....
<httpCookies httpOnlyCookies="true" requireSSL="true" />
...
</system.web>Enable Secure Flag in IIS
To enable secure flag in IIS, it is better to use URL Rewrite and add the following to your web.config file:
<system.webServer><rewrite><outboundRules><clear /><rule name="Add SameSite" preCondition="No SameSite"><match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" /><action type="Rewrite" value="{R:0}; SameSite=lax" /></rule><preConditions><preCondition name="No SameSite"><add input="{RESPONSE_Set_Cookie}" pattern="." /><add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=lax" negate="true" /></preCondition></preConditions></outboundRules></rewrite>...</system.webServer>
Implementation Procedure in Nginx
There are two possible ways to achieve this in Nginx web server.
- By using “nginx_cookie_flag_module” Module
An Nginx module called nginx_cookie_flag by Anton Saraykin let you quickly set cookie flag as HTTPOnly and Secure inSet-CookieHTTP response header. One thing you got to keep in mind that you need to build Nginx from the source code by adding the module.
Ex:--add-module=/path/to/nginx_cookie_flag_moduleOnce Nginx is built with the above module, you can add the following line either inlocationorserverdirective in the respective configuration files.set_cookie_flag HttpOnly secure;Restart Nginx to verify the results - By using proxy_cookie_path
Another alternative option is to add the below syntax in ssl.conf or default.confproxy_cookie_path / "/; HTTPOnly; Secure;SameSite=none";Restart the Nginx to see the results.
