This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Authentication Cookies are missing the Secure flag

Posted on 07-27-2018 09:09 AM
adevegowda
Staff
Reply posted on --/--/---- --:-- AM

We found that the Authentication/session cookies did not have the Secure Flag attribute set in the Edge UI.

Impact: If secure flag is not set, a cookie is considered safe to be sent in the clear over unsecured channels; allowing an attacker the ability to capture and replay the cookie or hijack an active session.

Here are the Cookies where we don't see Secure flag:

https://<Edge-UI-URL>/

Set-Cookie: PLAY_SESSION=; Max-Age=0; Expires=Thu, 24 May 2018 21:27:33 GMT; Path=/platform
Set-Cookie: PLAY_FLASH=url=%2F; Path=/; HTTPOnly
Set-Cookie:
PLAY_SESSION=<token>csrfToken=<token>; MaxAge=86400;
Expires=Fri, 25 May 2018 21:27:33 GMT; Path=/; HTTPOnly</div>

Can you please let me know how to make the Authentication cookies secure ?

Solved Solved
0 1 3,467
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
adevegowda
Staff
Reply posted on --/--/---- --:-- AM

To set Secure flag for Authentication Cookies, we need to follow the below steps:

  1. Open the /opt/apigee/customer/application/ui.properties file in an editor. If the file does not exist, create it.
  2. Set the property session.secure to true in the /opt/apigee/customer/application/ui.properties file as shown below: 
    conf_application_session.secure=true
  3. Save your changes.
  4. Restart the Edge UI: 
    /opt/apigee/xapigee-service/bin/apigee-service edge-ui restart

Post this change, we could see that second PLAY_SESSION cookie had the Secure flag.

You can run the curl command to check the values of Cookies.

curl -i https://<EdgeUI URL>

Here's some context on which information has to be secure:

The PLAY_SESSION can be of two types:

  1. One that contains the access and refresh tokens. This one should be Secure.
  2. There could be another PLAY_SESSION that is blank, with path /platform. Since it's blank and does not contain any key/confidential information, it doesn't need to be SECURE.
  3. Also, The PLAY_FLASH does not have auth related information, so it does not need to be secure.

View solution in original post

Jump to Solution
1 REPLY 1
Top Solution Authors
View all