Solved

Set cookies HttpOnly and Secure

Posted on 2016-11-10
4
279 Views
Last Modified: 2016-11-14
Have added the following in web.config for my SharePoint 2013 website but there are 3 or more cookies that do not seem to respect the below setting.

<httpCookies httpOnlyCookies="true" requireSSL="true" domain="" lockItem="true" />

Open in new window


Cookies:
  1. SearchSession
  2. WOPISessionContext
  3. WSS_FullScreenMode

What else should I do to ensure all SharePoint cookies are set to be HttpOnly and Secure ? This is for security scanning purposes.
0
Comment
Question by:hongjun
  • 2
4 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 41883371
What is setting those cookies?  If it is JavaScript in the pages, the settings in web.config have no effect.
0
 
LVL 33

Author Comment

by:hongjun
ID: 41883397
@Dave

Yes am aware cookies created by JavaScript will have no impact. Do you know how SP creates these cookies then?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 41883404
Which cookies and which application?  'web.config' only controls things done thru the server and probably not even all of them.
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 41883717
WOPISessionContext cookies - from Office Web App in a SharePoint 2013 libraries. e.g. When the browser opens up any web part, it will have the "WOPISessionContext" cookie set by SharePoint. Example, one of such Web Apps may allow redirects to a specific URL by setting a cookie using its web app codes and you can set the flags herein
window.document.cookie = "WOPISessionContext=http://client1.mydomain.com/project11210/default.aspx;path=/";
Likewise this may be via JS and not covered as per config.

Same goes for "WSS_FullScreenMode" which is mostly in objects and methods that comes with the Sharepoint JavaScript libraries e.g. (SP.Runtime.js) and they are objects used in the Sharepoint App. It is non-trivial but possible to "hunt" down the app stating this in the .js libraries, example
var context = SP.ClientContext.get_current();

var request = new SP.WebRequestInfo();

//Set the Url, HTTP Method and Accept Headers
request.set_url( “http://uvo1vnoxg7xeb0u4dm1.env.cloudshare.com/WebAPI005/api/values” );
request.set_method(“GET”);
request.set_headers({ “Accept”: “application/json” });
var response = SP.WebProxy.invoke(context, request);
      context.executeQueryAsync(successHandler, errorHandler);
The "SearchSession" Cookie is like due to the Search web part or related app performing "search" using .js libraries. But note that SharePoint 2013 doesn't use Session cookies by default, but rather persistent cookies. There is PS to set in SharePoint to use session cookies for the SAML token service e.g.
$sts = Get-SPSecurityTokenServiceConfig
$sts.UseSessionCookies = $true
$sts.Update()
https://msdn.microsoft.com/en-us/library/office/hh147183(v=office.14).aspx

Not sure if we can do all the setting if we can identify those app and goes specific or have a global setting for cookies. But minimally need to know what are the underlying appl in the SharePoint will be a good start, see this PS http://www.dev4side.com/en/blog/posts/2014/07/07/how-to-retrieve-all-apps-installed-on-a-sharepoint-2013-web-application-through-powershell
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
In case you ever have to remove a faulty web part from a page , add the following to the end of the page url ?contents=1
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
The viewer will learn how to count occurrences of each item in an array.

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question