Solved

Set cookies HttpOnly and Secure

Posted on 2016-11-10
4
159 Views
Last Modified: 2016-11-14
Have added the following in web.config for my SharePoint 2013 website but there are 3 or more cookies that do not seem to respect the below setting.

<httpCookies httpOnlyCookies="true" requireSSL="true" domain="" lockItem="true" />

Open in new window


Cookies:
  1. SearchSession
  2. WOPISessionContext
  3. WSS_FullScreenMode

What else should I do to ensure all SharePoint cookies are set to be HttpOnly and Secure ? This is for security scanning purposes.
0
Comment
Question by:hongjun
  • 2
4 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 41883371
What is setting those cookies?  If it is JavaScript in the pages, the settings in web.config have no effect.
0
 
LVL 33

Author Comment

by:hongjun
ID: 41883397
@Dave

Yes am aware cookies created by JavaScript will have no impact. Do you know how SP creates these cookies then?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 41883404
Which cookies and which application?  'web.config' only controls things done thru the server and probably not even all of them.
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 41883717
WOPISessionContext cookies - from Office Web App in a SharePoint 2013 libraries. e.g. When the browser opens up any web part, it will have the "WOPISessionContext" cookie set by SharePoint. Example, one of such Web Apps may allow redirects to a specific URL by setting a cookie using its web app codes and you can set the flags herein
window.document.cookie = "WOPISessionContext=http://client1.mydomain.com/project11210/default.aspx;path=/";
Likewise this may be via JS and not covered as per config.

Same goes for "WSS_FullScreenMode" which is mostly in objects and methods that comes with the Sharepoint JavaScript libraries e.g. (SP.Runtime.js) and they are objects used in the Sharepoint App. It is non-trivial but possible to "hunt" down the app stating this in the .js libraries, example
var context = SP.ClientContext.get_current();

var request = new SP.WebRequestInfo();

//Set the Url, HTTP Method and Accept Headers
request.set_url( “http://uvo1vnoxg7xeb0u4dm1.env.cloudshare.com/WebAPI005/api/values” );
request.set_method(“GET”);
request.set_headers({ “Accept”: “application/json” });
var response = SP.WebProxy.invoke(context, request);
      context.executeQueryAsync(successHandler, errorHandler);
The "SearchSession" Cookie is like due to the Search web part or related app performing "search" using .js libraries. But note that SharePoint 2013 doesn't use Session cookies by default, but rather persistent cookies. There is PS to set in SharePoint to use session cookies for the SAML token service e.g.
$sts = Get-SPSecurityTokenServiceConfig
$sts.UseSessionCookies = $true
$sts.Update()
https://msdn.microsoft.com/en-us/library/office/hh147183(v=office.14).aspx

Not sure if we can do all the setting if we can identify those app and goes specific or have a global setting for cookies. But minimally need to know what are the underlying appl in the SharePoint will be a good start, see this PS http://www.dev4side.com/en/blog/posts/2014/07/07/how-to-retrieve-all-apps-installed-on-a-sharepoint-2013-web-application-through-powershell
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question