My site is using https to transport data,and I scan it by appscan ,it told me that Set-cookie not secure ,but cookie is secure.
so what is the difference between Set-Cookie and cookie .
Your server controls the Set-Cookie header, so if a browser does not provide the Cookie header, the server can decide to send a Set-Cookie.
Then your browser decides to accept the cookie by sending back a Cookie header for the server to use. For example, if you have cookies disabled on the browser, it will not send back the Cookie header to the server.
The "Set-Cookie" header is sent from the web server and the browser sends the cookie back to the server in an HTTP header called "Cookie"
Related
HTTPonly or Secure flag header works on HTTP request or HTTP response?
Most of the time I see it on response.
According to the Microsoft Developer Network, HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Please check https://www.owasp.org/index.php/HttpOnly
If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag).
And It's mitigating the most common XSS attack using HttpOnly
XSS like alert(document.cookie) can be executed if HTTPonly or Secure flag not available in response header, you can set these headers from web application server configuration. Once you set headers user's browser will get these headers in response and browser will deny any java script to get cookie data. So these headers are response.
We have come across an issue in production logs where "Accept-Language" is missing in the http request from the browser. Although I am not able to replicate it so I want to understand any valid use case where any specific browser may send a request without "Accept-Language" header.
Even GET / HTTP/1.0 is a valid HTTP request. You can create one from the telnet client if you wish and it will still return a result from the server!
Accept-Language is a header to aid in content negotiation and is optional. The most widely used browsers send the correct headers, but there may be corporate proxies who may be filtering such headers. You should not rely on this header being present.
I'm trying to proxy an PHP api service, but I need to authenticated based on a session token.
Does node-http-proxy has options to forward the cookies to the target ?
Issue is most likely you're accessing the service via http when the proxy is requesting https and the cookie is set to secure. So your browser won't send it when making a http call.
I remember having a problem like this once. In my case what happened was that though the original cookie was sent with the request, the response from the proxy did not have that cookie.
What I ended up doing was saving the cookie before making the proxy request and the adding it to the response coming back from the proxy. You can write to the response vookies doing something like this:
var setCookie = res._headers['set-cookie'].concat(testGroup);
res.setHeader('set-cookie', setCookie);
As we know, a cookie with Secure attribute means that it just transmitted via a encrypted connection. so my question is if a cookie can be a security one and a not security one. if so,
why or for what ?
As stated, a cookie can have a Secure flag.
If true, the cookie is only sent by the browser for HTTPS requests.
If false, the cookie is sent by the browser for both HTTP and HTTPS requests.
There is no setting for transmission solely on HTTP. The HTTPOnly flag simply stops it being accessible via JavaScript and other client-side languages, it does not affect its HTTP/HTTPS behaviour.
So by setting Secure to false, the cookie will be transmitted both encrypted and decrypted depending on the current protocol.
This is not recommended as the cookie value could be sniffed if sent over the HTTP connection, or forced to by an attacker (e.g. the attacker simply linking to the HTTP site in an image tag on their site will cause the value to be leaked - <img src="http://www.example.com/img.jpg" />).
The Secure and HttpOnly attributes do not have associated values. Rather, the presence of the attribute names indicates that the Secure and HttpOnly behaviors are specified.
The Secure attribute is meant to keep cookie communication limited to encrypted transmission, directing browsers to use cookies only via secure/encrypted connections. If a web server sets a cookie with a secure attribute from a non-secure connection, the cookie can still be intercepted when it is sent to the user by man-in-the-middle attacks.
The HttpOnly attribute directs browsers not to expose cookies through channels other than HTTP (and HTTPS) requests. An HttpOnly cookie is not accessible via non-HTTP methods, such as calls via JavaScript (e.g., referencing "document.cookie"), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique).[37] Among others, Facebook and Google use the HttpOnly attribute extensively.
In short, it means that the 'Secure' attribute means it requires secure (ssl) transmission, for example HTTPS.
This is to prevent cookie theft or cookie hijacking. You can have a look at this wiki
You might also want to know about Cookie Encryption or Signed Cookie, a way to made your cookies safe from malicious cookie modification. Basically you append a hash to the cookie value and use it to verify the value of the cookie has not been modified.
Is there a way of setting a request cookie httpOnly? If not why can't we set it? I've set the response cookies to httpOnly using weblogx.xml/weblogic server.
Not possible.
Cookies are set in a HTTP response, and are read from a HTTP request. You can only set flags when cookies are created, so they can only be set in the response when using HTTP so it would not make sense to set HttpOnly on a request cookie.