How to set the HttpOnly flag for the cookie in alfresco.

cancel
Showing results for 
Search instead for 
Did you mean: 
akash251998
Established Member II

How to set the HttpOnly flag for the cookie in alfresco.

Jump to solution

Hi all, 

I am using alfresco community version 5.2 and due to some security concern i want to set Httponly flag for the cookie.

How to do that. Please suggest any solution

Regards 

Akash D

 

1 Solution

Accepted Solutions
afaust
Master

Re: How to set the HttpOnly flag for the cookie in alfresco.

Jump to solution

All the information was already in my original reply. You need to set th useHttpOnly config attribute in alfresco.xml / share.xml in the specified paths. The only thing I can do more is to link to a sample file from my Docker build.

View solution in original post

9 Replies
afaust
Master

Re: How to set the HttpOnly flag for the cookie in alfresco.

Jump to solution

It depends on which cookie you want to set the httpOnly flag on. The JSESSIONID is one of the easiest cookies to switch to httpOnly because you can do that via Tomcat configuration via the context configuration (useHttpOnly) for the Alfresco / Share web application in <tomcat>/conf/Catalina/localhost/alfresco.xml or share.xml

All other cookies are tougher to crack, and in the end, I typically end up with Cookie rewrite handling in the Reverse Proxy, similar to this handling of Secure/SameSite. Of course for httpOnly you absolutely have to be sure that no client JavaScript ever needs to access the cookie value, so it should not be handled in such a generic / blanket fashion.

akash251998
Established Member II

Re: How to set the HttpOnly flag for the cookie in alfresco.

Jump to solution

Sorry afaust as i am unable to perform the solution provided by you. So is there any other solution with the help of which i can set httpOnly for alfresco.

 

Thanks in Advance

Akash D

afaust
Master

Re: How to set the HttpOnly flag for the cookie in alfresco.

Jump to solution

I am not aware of any simpler solution, as I too would have used such if it were available.

akash251998
Established Member II

Re: How to set the HttpOnly flag for the cookie in alfresco.

Jump to solution

Dear @afaust  as explaied by you:

It depends on which cookie you want to set the httpOnly flag on. The JSESSIONID is one of the easiest cookies to switch to httpOnly because you can do that via Tomcat configuration via the context configuration (useHttpOnly) for the Alfresco / Share web application in <tomcat>/conf/Catalina/localhost/alfresco.xml or share.xml.

 

Can you please tell what code i need to add and where. Please help it could solve my issue. I want to set httpOnly for JSESSIONID cookie.

Hoping for your response.

Thanks in Advance

Regards 

Akash

afaust
Master

Re: How to set the HttpOnly flag for the cookie in alfresco.

Jump to solution

All the information was already in my original reply. You need to set th useHttpOnly config attribute in alfresco.xml / share.xml in the specified paths. The only thing I can do more is to link to a sample file from my Docker build.

akash251998
Established Member II

Re: How to set the HttpOnly flag for the cookie in alfresco.

Jump to solution

Thanku so much @afaust  for your help.

Regards 

Akash

EddieMay
Alfresco Employee

Re: How to set the HttpOnly flag for the cookie in alfresco.

Jump to solution

Hi @akash251998,

I'm so glad @afaust was able to help you resolve your issue & thank you for accepting his solution.

Best wishes, 

Digital Community Manager, Alfresco Software.
Problem solved? Click Accept as Solution!
akash251998
Established Member II

Re: How to set the HttpOnly flag for the cookie in alfresco.

Jump to solution

Dear @afaust  as per your suggestion i have done the changes in the files alfresco.xml and share.xml at the location :

D:\DMS\tomcat\conf\Catalina\localhost

 

My alfresco.xml file 

<?xml version='1.0' encoding='utf-8'?>
<Context crossContext="true" useHttpOnly="true">
<Loader className="org.apache.catalina.loader.VirtualWebappLoader" virtualClasspath="${catalina.base}/../modules/platform/*.jar" />
</Context>

 

 

My share.xml file

<?xml version='1.0' encoding='utf-8'?>
<Context crossContext="true" useHttpOnly="true">
<Loader className="org.apache.catalina.loader.VirtualWebappLoader" virtualClasspath="${catalina.base}/../modules/share/*.jar" />
</Context>

 

 

I am getting the JSESSIONID in my cookies as not set to httpOnly. I am attaching screenshot ofthe cookies information.

ErrorError

 

Is there any other change we have to do to achieve our requirement. @afaust please have a look hope this time also i will get a positive response.

 

Regards

Akash D

akash251998
Established Member II

Re: How to set the HttpOnly flag for the cookie in alfresco.

Jump to solution

Dear @EddieMay  will you please look into the above issue.