Go to main content

help desk

How to enable secure cookie in Extenso?

 Secure and HttpOnly cookie attributes.

SnCode
security
Asked on 2022-01-11 15:48:00

OFFICIAL ANSWER

You have to modify conf file wuth the following:

 

variable {
 "cookie_extranet_secure" : true,
 "cookie_extranet_httponly" : true,
 "cookie_sednove_secure" : true,
 "cookie_sednove_httponly" : true,
}

1. Secure and HttpOnly cookie attributes

 

The Secure and HttpOnly cookie attributes both help prevent the leaking of sensitive information. The sed_login module, starting at version 2.7, can apply those attributes to the session cookies of Extenso.

The Secure attribute instructs the browser to send the cookie over HTTPS only. Setting this attribute for a given cookie will prevent its being sent to pages served in HTTP.

The HttpOnly attribute makes the cookie invisible to JavaScript in document.cookie. It helps prevent stealing the session cookie via cross-site scripting (XSS). Set this attribute for a given cookie when the site's JavaScript code has no need to access its value.

To set those two attributes for the session cookies of Extenso, add the following lines to the website's conf file:

variable {
 "cookie_extranet_secure" : falas,
 "cookie_extranet_httponly" : true,
 "cookie_sednove_secure" : true,
 "cookie_sednove_httponly" : true,
}

 

cookie_extranet refers to the sednoveV6 cookie that is set at login;

cookie_sednove refers to the sednove cookie that is set at the first request from a given user.

Here is how to set those four variables' values:

cookie extranet_secure

On the vast majority of websites, the secure section (the pages that require the user to log in) will be accessible in HTTPS only. In that case, set cookie_extranet_secure to true. For a website that does not support HTTPS, leave it to false.

cookie_extranet_httponly

Verify if the website's JavaScript code uses the sednoveV6 cookie. If it does, leave cookie_extranet_httponly to false. Otherwise, set it to true.

cookie_sednove_secure

Make a request to the website's root page in HTTP. If it is automatically redirected to HTTPS, it means that the while site is accessible in HTTPS only. If it is the case, then set

cookie_sednove_secure to true.

cookie_sednove_httponly

Verify if the website's JavaScript code uses the sednove cookie. If it does, leave cookie_sednove_httponly to false. Otherwise, set it to true.

After the variables have been set in the website's conf file, restart Apache for the changes to take effect.

Answer by:
Pierre Laplante

Replied on: 2022-01-14 13:44:00