Hyland Connect

akash251998 · ‎08-13-2020

Hi all,

I am using alfresco community version 5.2 and due to some security concern i want to set Httponly flag for the cookie.

How to do that. Please suggest any solution

Regards

Akash D

afaust · ‎08-14-2020

All the information was already in my original reply. You need to set th useHttpOnly config attribute in alfresco.xml / share.xml in the specified paths. The only thing I can do more is to link to a sample file from my Docker build.

View answer in original post

afaust · ‎08-13-2020

It depends on which cookie you want to set the httpOnly flag on. The JSESSIONID is one of the easiest cookies to switch to httpOnly because you can do that via Tomcat configuration via the context configuration (useHttpOnly) for the Alfresco / Share web application in <tomcat>/conf/Catalina/localhost/alfresco.xml or share.xml

All other cookies are tougher to crack, and in the end, I typically end up with Cookie rewrite handling in the Reverse Proxy, similar to this handling of Secure/SameSite. Of course for httpOnly you absolutely have to be sure that no client JavaScript ever needs to access the cookie value, so it should not be handled in such a generic / blanket fashion.

akash251998 · ‎08-13-2020

Sorry afaust as i am unable to perform the solution provided by you. So is there any other solution with the help of which i can set httpOnly for alfresco.

Thanks in Advance

Akash D

afaust · ‎08-13-2020

I am not aware of any simpler solution, as I too would have used such if it were available.

akash251998 · ‎08-14-2020

Dear @afaust as explaied by you:

It depends on which cookie you want to set the httpOnly flag on. The JSESSIONID is one of the easiest cookies to switch to httpOnly because you can do that via Tomcat configuration via the context configuration (useHttpOnly) for the Alfresco / Share web application in <tomcat>/conf/Catalina/localhost/alfresco.xml or share.xml.

Can you please tell what code i need to add and where. Please help it could solve my issue. I want to set httpOnly for JSESSIONID cookie.

Hoping for your response.

Thanks in Advance

Regards

Akash

afaust · ‎08-14-2020

All the information was already in my original reply. You need to set th useHttpOnly config attribute in alfresco.xml / share.xml in the specified paths. The only thing I can do more is to link to a sample file from my Docker build.

akash251998 · ‎08-14-2020

Thanku so much @afaust for your help.

Regards

Akash

EddieMay · ‎08-14-2020

Hi @akash251998,

I'm so glad @afaust was able to help you resolve your issue & thank you for accepting his solution.

Best wishes,

Digital Community Manager, Alfresco Software.
Problem solved? Click Accept as Solution!

akash251998 · ‎08-17-2020

Dear @afaust as per your suggestion i have done the changes in the files alfresco.xml and share.xml at the location :

D:\DMS\tomcat\conf\Catalina\localhost

My alfresco.xml file

<?xml version='1.0' encoding='utf-8'?>
<Context crossContext="true" useHttpOnly="true">
<Loader className="org.apache.catalina.loader.VirtualWebappLoader" virtualClasspath="${catalina.base}/../modules/platform/*.jar" />
</Context>

My share.xml file

<?xml version='1.0' encoding='utf-8'?>
<Context crossContext="true" useHttpOnly="true">
<Loader className="org.apache.catalina.loader.VirtualWebappLoader" virtualClasspath="${catalina.base}/../modules/share/*.jar" />
</Context>

I am getting the JSESSIONID in my cookies as not set to httpOnly. I am attaching screenshot ofthe cookies information.

Error

Is there any other change we have to do to achieve our requirement. @afaust please have a look hope this time also i will get a positive response.

Regards

Akash D

akash251998 · ‎08-18-2020

Dear @EddieMay will you please look into the above issue.

Hyland Connect

How to set the HttpOnly flag for the cookie in alfresco.