topic Re: How to set the HttpOnly flag for the cookie in alfresco. in Alfresco Forum

How to set the HttpOnly flag for the cookie in alfresco.

akash251998 — Thu, 13 Aug 2020 05:44:43 GMT

Hi all,

I am using alfresco community version 5.2 and due to some security concern i want to set Httponly flag for the cookie.

How to do that. Please suggest any solution

Regards

Akash D

Re: How to set the HttpOnly flag for the cookie in alfresco.

afaust — Thu, 13 Aug 2020 07:13:35 GMT

It depends on which cookie you want to set the httpOnly flag on. The JSESSIONID is one of the easiest cookies to switch to httpOnly because you can do that via Tomcat configuration via the context configuration (useHttpOnly) for the Alfresco / Share web application in <tomcat>/conf/Catalina/localhost/alfresco.xml or share.xml

All other cookies are tougher to crack, and in the end, I typically end up with Cookie rewrite handling in the Reverse Proxy, similar to this handling of Secure/SameSite. Of course for httpOnly you absolutely have to be sure that no client JavaScript ever needs to access the cookie value, so it should not be handled in such a generic / blanket fashion.

Re: How to set the HttpOnly flag for the cookie in alfresco.

akash251998 — Thu, 13 Aug 2020 11:03:31 GMT

Sorry afaust as i am unable to perform the solution provided by you. So is there any other solution with the help of which i can set httpOnly for alfresco.

Thanks in Advance

Akash D

Re: How to set the HttpOnly flag for the cookie in alfresco.

afaust — Thu, 13 Aug 2020 11:16:44 GMT

I am not aware of any simpler solution, as I too would have used such if it were available.

Re: How to set the HttpOnly flag for the cookie in alfresco.

akash251998 — Fri, 14 Aug 2020 06:09:58 GMT

Dear @afaust as explaied by you:

Can you please tell what code i need to add and where. Please help it could solve my issue. I want to set httpOnly for JSESSIONID cookie.

Hoping for your response.

Thanks in Advance

Regards

Akash

Re: How to set the HttpOnly flag for the cookie in alfresco.

afaust — Fri, 14 Aug 2020 11:09:27 GMT

All the information was already in my original reply. You need to set th useHttpOnly config attribute in alfresco.xml / share.xml in the specified paths. The only thing I can do more is to link to a sample file from my Docker build.

Re: How to set the HttpOnly flag for the cookie in alfresco.

akash251998 — Fri, 14 Aug 2020 11:54:07 GMT

Thanku so much @afaust for your help.

Regards

Akash

Re: How to set the HttpOnly flag for the cookie in alfresco.

EddieMay — Fri, 14 Aug 2020 14:07:38 GMT

Hi @akash251998,

I'm so glad @afaust was able to help you resolve your issue & thank you for accepting his solution.

Best wishes,

Re: How to set the HttpOnly flag for the cookie in alfresco.

akash251998 — Mon, 17 Aug 2020 06:23:31 GMT

Dear @afaust as per your suggestion i have done the changes in the files alfresco.xml and share.xml at the location :

D:\DMS\tomcat\conf\Catalina\localhost

My alfresco.xml file

<?xml version='1.0' encoding='utf-8'?>
<Context crossContext="true" useHttpOnly="true">
<Loader className="org.apache.catalina.loader.VirtualWebappLoader" virtualClasspath="${catalina.base}/../modules/platform/*.jar" />
</Context>

My share.xml file

I am getting the JSESSIONID in my cookies as not set to httpOnly. I am attaching screenshot ofthe cookies information.

Error

Is there any other change we have to do to achieve our requirement. @afaust please have a look hope this time also i will get a positive response.

Regards

Akash D

Re: How to set the HttpOnly flag for the cookie in alfresco.

akash251998 — Tue, 18 Aug 2020 04:57:01 GMT

Dear @EddieMay will you please look into the above issue.