Solved

Set cookies HttpOnly and Secure

Posted on 2016-11-10
4
439 Views
Last Modified: 2016-11-14
Have added the following in web.config for my SharePoint 2013 website but there are 3 or more cookies that do not seem to respect the below setting.

<httpCookies httpOnlyCookies="true" requireSSL="true" domain="" lockItem="true" />

Open in new window


Cookies:
  1. SearchSession
  2. WOPISessionContext
  3. WSS_FullScreenMode

What else should I do to ensure all SharePoint cookies are set to be HttpOnly and Secure ? This is for security scanning purposes.
0
Comment
Question by:hongjun
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 41883371
What is setting those cookies?  If it is JavaScript in the pages, the settings in web.config have no effect.
0
 
LVL 33

Author Comment

by:hongjun
ID: 41883397
@Dave

Yes am aware cookies created by JavaScript will have no impact. Do you know how SP creates these cookies then?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 41883404
Which cookies and which application?  'web.config' only controls things done thru the server and probably not even all of them.
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 41883717
WOPISessionContext cookies - from Office Web App in a SharePoint 2013 libraries. e.g. When the browser opens up any web part, it will have the "WOPISessionContext" cookie set by SharePoint. Example, one of such Web Apps may allow redirects to a specific URL by setting a cookie using its web app codes and you can set the flags herein
window.document.cookie = "WOPISessionContext=http://client1.mydomain.com/project11210/default.aspx;path=/";
Likewise this may be via JS and not covered as per config.

Same goes for "WSS_FullScreenMode" which is mostly in objects and methods that comes with the Sharepoint JavaScript libraries e.g. (SP.Runtime.js) and they are objects used in the Sharepoint App. It is non-trivial but possible to "hunt" down the app stating this in the .js libraries, example
var context = SP.ClientContext.get_current();

var request = new SP.WebRequestInfo();

//Set the Url, HTTP Method and Accept Headers
request.set_url( “http://uvo1vnoxg7xeb0u4dm1.env.cloudshare.com/WebAPI005/api/values” );
request.set_method(“GET”);
request.set_headers({ “Accept”: “application/json” });
var response = SP.WebProxy.invoke(context, request);
      context.executeQueryAsync(successHandler, errorHandler);
The "SearchSession" Cookie is like due to the Search web part or related app performing "search" using .js libraries. But note that SharePoint 2013 doesn't use Session cookies by default, but rather persistent cookies. There is PS to set in SharePoint to use session cookies for the SAML token service e.g.
$sts = Get-SPSecurityTokenServiceConfig
$sts.UseSessionCookies = $true
$sts.Update()
https://msdn.microsoft.com/en-us/library/office/hh147183(v=office.14).aspx

Not sure if we can do all the setting if we can identify those app and goes specific or have a global setting for cookies. But minimally need to know what are the underlying appl in the SharePoint will be a good start, see this PS http://www.dev4side.com/en/blog/posts/2014/07/07/how-to-retrieve-all-apps-installed-on-a-sharepoint-2013-web-application-through-powershell
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question