In a security scan result, I received the following error:
"Missing Secure Attribute in Encrypted Session (SSL) Cookie" for WL_PERSISTENT_COOKIE and testcookie.
I don't know how to set the secure attribute for these cookies, from the websphere server it just allows me to set the secure attribute for the JSESSIONID cookie but not for the others.
Here are my conclusions from my appscan results:
testcookie
: This cookie seems to be generated in the worklight.js file. According to the appscan, the application sends a request to the server (GET /ParkingApp/apps/services/preview/SmarterParking/common/0/default/worklight/worklight.js HTTP/1.1
) and the server responds with this file, which has the following code fragment:areCookiesEnabled : function() { var enabled = true; if (WL.EnvProfile.isEnabled(WL.EPField.WEB)) { var date = new Date(); date.setTime(date.getTime() + (24 * 60 * 60 * 1000)); document.cookie = "testcookie=oreo; expires=" + date.toGMTString() + "; path=/"; var cookie = getCookie('testcookie'); enabled = (cookie.value === 'oreo'); } return enabled; }
So I understand that the cookie is set in this file as the subsequent requests and responses exchange the testcookie.
How can I edit this file as it seems a predefined file in worklight? Would it be a good practice to edit this file so that I modify that line to include the secure attribute?
WL_PERSISTENT_COOKIE
: With this cookie I'm a little bit stuck, the worklight server looks for this cookie in the request and in case it is not found it sends it back to the client in a set-cookie header. Actually, this is what I'm seeing in the security scan, however the server doesn't set this cookie to have the secure attribute and I don't find the option in the websphere server settings. How could I set the persistent cookie to have the secure attribute?
Thank you very much in advance!
The short answer is that there is no option to set the secure attribute for either of these cookies. These 2 cookies are not considered sensitive. But AppScan does not know if these are sensitive cookies or not and so just reports that there is no secure attribute set.
In the case of testcookie, it is only used by the client to test whether cookies can be set or not. It is not used by the server at all.
The WL_PERSISTENT_COOKIE is a randomly generated ID to associate a request with a user identity when there is no other user identity established. It is used internally to represent an anonymous ID for purposes like tracking/reporting. It is not used for protecting resources that require authentication and authorization. So capturing a WL_PERSISTENT_COOKIE token and using it from another device or another session would not grant any additional or different privileges.
It seems that both testcookie and WL_PERSISTENT_COOKIE are both used by Worklight. testcookie is just a fake cookie used to check if cookies are enabled and WL_PERSISTENT_COOKIE is used by persistent cookie authenticator as described in the documentation here:
http://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.dev.doc/devref/r_persistent_cookie_authenticato.html
I think you can't change those cookies as they are used/set by Worklight.