HTTPOnly and Secure Cookies


I had the pleasure of spending a week trying to fix an issue with one of my sites. We have quarterly security scans on it and this last round they dinged us for not using secure and HTTPOnly cookies. Our server is using J2EE session variables. On ColdFusion 8 there is no way to tell server to issue these cookies (jsessionid) with the HTTPOnly and Secure flag on.

You can follow Jason Dean’s blog on setting up a secure cookie, but the problem is that the server still issues the insecure cookie before you grab it and make it secure. So you end up showing a secure and an insecure cookie in the headers. We host our sites with Apache, which gave us the ability to use the mod_security module. This module will grab your headers and reconfigure them before they are sent out, no matter what type of application you are using.

We ended up using this configuration for our problem, make sure your SecRules are on the same line

	# HTTPOnly AND Secure Cookies Check
	SecRuleEngine On
	
	SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))" "phase:3,t:none,pass,nolog,setvar:t$
	
	
	# Now check the captured SessionID data for the HTTPOnly flag and set an Apache msg
	# ENV variable if it is missing.
	
	SecRule TX:SESSIONID "!(?i:\;? ?httponly;?)" "phase:3,t:none,setenv:httponly_cookie=%{matched_var},pass,log,auditlog,msg:'AppDefect: Missing HttpOnly Cookie Flag.'"
	
	#
	# Next check the captured SessionID data for the Secure flag (if this is an SSL session)
	# and set an Apache ENV msg variable if it is missing.
	
	SecRule SERVER_PORT "@streq 443" "chain,phase:3,t:none,pass,log,auditlog,msg:'AppDefect: Missing Secure Cookie Flag.'"
	SecRule TX:SESSIONID "!(?i:\;? ?secure;?)" "t:none,setenv:secure_cookie=%{matched_var}"
	
	#
	# Final check see if BOTH of the HTTPOnly and Secure cookie flags are missing
	# and set an Apache ENV msg variable if they are missing.
	SecRule TX:SESSIONID "!(?i:\;? ?httponly;?)" "chain,phase:3,t:none,pass,log,auditlog,msg:'AppDefect: Missing HttpOnly and Secure Cookie Flag.'"
	
	SecRule SERVER_PORT "@streq 443" "chain,t:none"
	SecRule TX:SESSIONID "!(?i:\;? ?secure;?)" "t:none,setenv:secure_httponly_cookie=%{matched_var}"
	
	#
	# This last section executes the Apache Header command to
	# add the appropriate Cookie flags
	Header set Set-Cookie "%{httponly_cookie}e;HTTPOnly" env=httponly_cookie
	Header set Set-Cookie "%{secure_cookie}e;Secure" env=secure_cookie
	Header set Set-Cookie "%{secure_httponly_cookie}e;Secure;HTTPOnly" env=secure_httponly_cookie
 

Leave a Reply